Mailinglist Archive: opensuse (2912 mails)

< Previous Next >
Re: [SLE] suse 9.2: ip_conntrack: table full, dropping packet
  • From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
  • Date: Wed, 02 Feb 2005 18:32:33 -0600
  • Message-id: <42017121.1020509@xxxxxxxxxxxxx>
Darryl Gregorash wrote:

The following are specifically recommended in any iptables configuration:

iptables -A INPUT -p tcp !--syn -m state --state NEW -j DROP

which will dump any new connection that does not have the SYN bit set. (A stray ACK packet can establish a NEW connection, for some arcane reasons I do not claim to understand.)

iptables -A INPUT -m state --state INVALID -j DROP

I was poking around the Shorewall website, and came across this item:

"1. Recent 2.6 kernels include code that evaluates TCP packets based on TCP Window analysis. This can cause packets that were previously classified as NEW or ESTABLISHED to be classified as INVALID.

The new kernel code can be disabled by including this command in your /etc/shorewall/init file:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

Additional kernel logging about INVALID TCP packets may be obtained by adding this command to /etc/shorewall/init:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid"

It should also be possible to include either or both of those commands in /etc/init.d/boot.local

< Previous Next >
Follow Ups