Home / server / Questions / 440156
In Process
raphink
Asked: 2012-10-20 02:25:43 +0800 CST

Packets marked INVALID in FORWARD rule

  • 772

I have a firewall that has 3 IP aliases on 1 physical interface. Packets get dropped between these 3 interfaces (either ICMP, HTTP, or anything else). We tracked it down to these packets being marked INVALID in the FORWARD rule and dropped due to the this rule:

chain FORWARD {
    policy DROP;

    # connection tracking
    mod state state INVALID LOG log-prefix 'INVALID FORWARD DROP: '; 
    mod state state INVALID DROP;
    mod state state (ESTABLISHED RELATED) ACCEPT;
}

(That is, we see the INVALID FORWARD DROP logs in dmesg)

What could be causing this?

iptables

2 Answers

  1. The INVALID state means that the packet is not associated with a known connection (and isn't starting a new connection either). The only reasons I can think of is that something is clearing the connection tracking table, the table is overflowing, or the entries are timing out too quickly. You can check the size of the connection tracking table with sudo conntrack -L | wc -l and the maximum number of entries with cat /proc/sys/net/netfilter/nf_conntrack_max.

    • 0

  2. Use macvlan in bridge mode instead of IP aliases and keep the physical interface in promisc mode.

    e.g.

    1. eno1 is the interface you want to use.
    2. Then create macvlan1@eno1, macvlan2@eno1 and macvlan3@eno1.
    3. Keep eno1 in promisc mode.

    Refer below sequence for creating a macvlan interface.

    # /sbin/ip link add link eno1 macvlan1 type macvlan mode bridge

# /sbin/ip addr add 192.168.1.1/24 dev macvlan1

# /sbin/ip link set macvlan1 address aa:bb:bb:dd:ee:ff up

    Refer below command to make promisc mode on for eno2

    # /sbin/ip link set eno1 promisc on
    • 0