Some packets are determined as INVALID state due to unknown reasons.

Issue

Our customer configures iptables so that packets which are in INVALID state are dropped and then it logs.

-A NwCHN_IN_NAPT -m state --state INVALID -j LOG --log-prefix "[IPT]inNaptStateInvalid " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options

Under the configuration, specific packet is determined as INVALID but after that the same packet which is sent for retransmission is not determined as INVALID. Why did iptables behave like that?

Mar 23 11:33:50 server kernel: [IPT]inNaptStateInvalid IN=bond2.112 OUT= MAC=58:c2:32:YY:YY:YY:30:e4:db:XX:XX:XX:08:00 SRC=XX.XX.XX.XX DST=YY.YY.YY.YY LEN=1420 TOS=0x00 PREC=0x00 TTL=48 ID=1593 DF PROTO=TCP SPT=80 DPT=33690 SEQ=845320763 ACK=953733965 WINDOW=41 RES=0x00 ACK URGP=0 OPT (0101080A6D3E19FF6A4D7177) MARK=0x1
Mar 23 11:33:50 server kernel: [IPT]inNaptStateInvalid IN=bond2.112 OUT= MAC=58:c2:32:YY:YY:YY:30:e4:db:XX:XX:XX:08:00 SRC=XX.XX.XX.XX DST=YY.YY.YY.YY LEN=206 TOS=0x00 PREC=0x00 TTL=48 ID=1594 DF PROTO=TCP SPT=80 DPT=33690 SEQ=845322131 ACK=953733965 WINDOW=41 RES=0x00 ACK PSH URGP=0 OPT (0101080A6D3E19FF6A4D7177) MARK=0x1
Mar 23 11:33:51 server kernel: [IPT]inNaptStateInvalid IN=bond2.112 OUT= MAC=58:c2:32:YY:YY:YY:30:e4:db:XX:XX:XX:08:00 SRC=XX.XX.XX.XX DST=YY.YY.YY.YY LEN=1420 TOS=0x00 PREC=0x00 TTL=49 ID=24801 DF PROTO=TCP SPT=80 DPT=33688 SEQ=2285406206 ACK=228529710 WINDOW=58 RES=0x00 ACK URGP=0 OPT (0101080A6D3EE96C6A4D72D6) MARK=0x1
Mar 23 11:33:51 server kernel: [IPT]inNaptStateInvalid IN=bond2.112 OUT= MAC=58:c2:32:YY:YY:YY:30:e4:db:XX:XX:XX:08:00 SRC=XX.XX.XX.XX DST=YY.YY.YY.YY LEN=152 TOS=0x00 PREC=0x00 TTL=49 ID=24802 DF PROTO=TCP SPT=80 DPT=33688 SEQ=2285407574 ACK=228529710 WINDOW=58 RES=0x00 ACK PSH URGP=0 OPT (0101080A6D3EE96C6A4D72D6) MARK=0x1

Packets which is determined as INVALID

11:33:50.824981 IP (tos 0x0, ttl 48, id 1593, offset 0, flags [DF], proto TCP (6), length 1420)
    router.example.net.http > YY.YY.YY.YY.33690: Flags [.], cksum 0x16b0 (incorrect -> 0xbb26), seq 87985:89353, ack 2987, win 41, options [nop,nop,TS val 1832786431 ecr 1783460215], length 1368
11:33:50.826279 IP (tos 0x0, ttl 48, id 1594, offset 0, flags [DF], proto TCP (6), length 206)
    router.example.net.http > YY.YY.YY.YY.33690: Flags [P.], cksum 0x3a17 (incorrect -> 0xde8d), seq 89353:89507, ack 2987, win 41, options [nop,nop,TS val 1832786431 ecr 1783460215], length 154

11:33:51.176073 IP (tos 0x0, ttl 49, id 24801, offset 0, flags [DF], proto TCP (6), length 1420)
    router.example.net.http > YY.YY.YY.YY.33688: Flags [.], cksum 0xac15 (incorrect -> 0x508a), seq 167045:168413, ack 6825, win 58, options [nop,nop,TS val 1832839532 ecr 1783460566], length 1368
11:33:51.177351 IP (tos 0x0, ttl 49, id 24802, offset 0, flags [DF], proto TCP (6), length 152)
    router.example.net.http > YY.YY.YY.YY.33688: Flags [P.], cksum 0xf9c5 (incorrect -> 0x9e3a), seq 168413:168513, ack 6825, win 58, options [nop,nop,TS val 1832839532 ecr 1783460566], length 100

Retransmission packets which are NOT determined as INVALID

11:33:51.028599 IP (tos 0x0, ttl 48, id 1596, offset 0, flags [DF], proto TCP (6), length 1420)
    router.example.net.http > YY.YY.YY.YY.33690: Flags [.], cksum 0xb98f (correct), seq 87985:89353, ack 2987, win 41, options [nop,nop,TS val 1832786635 ecr 1783460418], length 1368
11:33:51.031745 IP (tos 0x0, ttl 48, id 1597, offset 0, flags [DF], proto TCP (6), length 206)
    router.example.net.http > YY.YY.YY.YY.33690: Flags [P.], cksum 0xdcef (correct), seq 89353:89507, ack 2987, win 41, options [nop,nop,TS val 1832786638 ecr 1783460422], length 154

11:33:51.379015 IP (tos 0x0, ttl 49, id 24803, offset 0, flags [DF], proto TCP (6), length 1420)
    router.example.net.http > YY.YY.YY.YY.33688: Flags [.], cksum 0x4fbf (correct), seq 167045:168413, ack 6825, win 58, options [nop,nop,TS val 1832839735 ecr 1783460566], length 1368
11:33:51.382362 IP (tos 0x0, ttl 49, id 24805, offset 0, flags [DF], proto TCP (6), length 152)
    router.example.net.http > YY.YY.YY.YY.33688: Flags [P.], cksum 0x9c9d (correct), seq 168413:168513, ack 6825, win 58, options [nop,nop,TS val 1832839738 ecr 1783460773], length 100

Environment

Red Hat Enterprise Linux 6.4
kernel-2.6.32-358.23.2.el6.x86_64
iptables-1.4.7-9.el6.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

New to Red Hat?

Learn more about Red Hat subscriptions

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories