Some packets are flagged as INVALID by iptables

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












1















I configured a proxypass rule in order to redirect requests from the port 443 to a JBoss server running on port 8080.



All works fine except some 503 errors in the Apache log, around 10 per day:



In the error log:




[error] (111)Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed




In the access log, I've a corresponding 503 error. Nothing in my JBoss log.



For each error, coincide a packet flagged as invalid in the kernel log. I performed a tcpdump and for each invalid packet, it was a tcp SYN from the proxy to the JBoss server.



Why these packets are flagged as invalid ? Is that a serious problem ? Can I accept all invalid packets from 127.0.0.1 to dport 8080 ?










share|improve this question



















  • 1





    I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?

    – slm
    Feb 18 '14 at 9:25












  • @slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/

    – Bob Sauvage
    Feb 18 '14 at 10:21











  • I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?

    – Bob Sauvage
    Feb 18 '14 at 10:22











  • My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.

    – slm
    Feb 18 '14 at 10:43







  • 1





    @slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules: iptables -A INPUT -m state --state INVALID -j REJECT and iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.

    – Bob Sauvage
    Feb 19 '14 at 9:42















1















I configured a proxypass rule in order to redirect requests from the port 443 to a JBoss server running on port 8080.



All works fine except some 503 errors in the Apache log, around 10 per day:



In the error log:




[error] (111)Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed




In the access log, I've a corresponding 503 error. Nothing in my JBoss log.



For each error, coincide a packet flagged as invalid in the kernel log. I performed a tcpdump and for each invalid packet, it was a tcp SYN from the proxy to the JBoss server.



Why these packets are flagged as invalid ? Is that a serious problem ? Can I accept all invalid packets from 127.0.0.1 to dport 8080 ?










share|improve this question



















  • 1





    I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?

    – slm
    Feb 18 '14 at 9:25












  • @slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/

    – Bob Sauvage
    Feb 18 '14 at 10:21











  • I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?

    – Bob Sauvage
    Feb 18 '14 at 10:22











  • My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.

    – slm
    Feb 18 '14 at 10:43







  • 1





    @slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules: iptables -A INPUT -m state --state INVALID -j REJECT and iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.

    – Bob Sauvage
    Feb 19 '14 at 9:42













1












1








1








I configured a proxypass rule in order to redirect requests from the port 443 to a JBoss server running on port 8080.



All works fine except some 503 errors in the Apache log, around 10 per day:



In the error log:




[error] (111)Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed




In the access log, I've a corresponding 503 error. Nothing in my JBoss log.



For each error, coincide a packet flagged as invalid in the kernel log. I performed a tcpdump and for each invalid packet, it was a tcp SYN from the proxy to the JBoss server.



Why these packets are flagged as invalid ? Is that a serious problem ? Can I accept all invalid packets from 127.0.0.1 to dport 8080 ?










share|improve this question
















I configured a proxypass rule in order to redirect requests from the port 443 to a JBoss server running on port 8080.



All works fine except some 503 errors in the Apache log, around 10 per day:



In the error log:




[error] (111)Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed




In the access log, I've a corresponding 503 error. Nothing in my JBoss log.



For each error, coincide a packet flagged as invalid in the kernel log. I performed a tcpdump and for each invalid packet, it was a tcp SYN from the proxy to the JBoss server.



Why these packets are flagged as invalid ? Is that a serious problem ? Can I accept all invalid packets from 127.0.0.1 to dport 8080 ?







networking iptables apache-httpd http-proxy jboss






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 18 '16 at 0:06









Jeff Schaller

41.7k1156133




41.7k1156133










asked Feb 18 '14 at 8:50









Bob SauvageBob Sauvage

1461212




1461212







  • 1





    I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?

    – slm
    Feb 18 '14 at 9:25












  • @slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/

    – Bob Sauvage
    Feb 18 '14 at 10:21











  • I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?

    – Bob Sauvage
    Feb 18 '14 at 10:22











  • My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.

    – slm
    Feb 18 '14 at 10:43







  • 1





    @slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules: iptables -A INPUT -m state --state INVALID -j REJECT and iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.

    – Bob Sauvage
    Feb 19 '14 at 9:42












  • 1





    I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?

    – slm
    Feb 18 '14 at 9:25












  • @slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/

    – Bob Sauvage
    Feb 18 '14 at 10:21











  • I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?

    – Bob Sauvage
    Feb 18 '14 at 10:22











  • My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.

    – slm
    Feb 18 '14 at 10:43







  • 1





    @slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules: iptables -A INPUT -m state --state INVALID -j REJECT and iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.

    – Bob Sauvage
    Feb 19 '14 at 9:42







1




1





I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?

– slm
Feb 18 '14 at 9:25






I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?

– slm
Feb 18 '14 at 9:25














@slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/

– Bob Sauvage
Feb 18 '14 at 10:21





@slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/

– Bob Sauvage
Feb 18 '14 at 10:21













I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?

– Bob Sauvage
Feb 18 '14 at 10:22





I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?

– Bob Sauvage
Feb 18 '14 at 10:22













My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.

– slm
Feb 18 '14 at 10:43






My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.

– slm
Feb 18 '14 at 10:43





1




1





@slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules: iptables -A INPUT -m state --state INVALID -j REJECT and iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.

– Bob Sauvage
Feb 19 '14 at 9:42





@slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules: iptables -A INPUT -m state --state INVALID -j REJECT and iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.

– Bob Sauvage
Feb 19 '14 at 9:42










1 Answer
1






active

oldest

votes


















0














The problem is now solved and was related to iptables.



I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:



iptables -A INPUT -m state --state INVALID -j REJECT



iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset



As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.



A message has been sent to the iptables mailinglist.






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f115665%2fsome-packets-are-flagged-as-invalid-by-iptables%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    The problem is now solved and was related to iptables.



    I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:



    iptables -A INPUT -m state --state INVALID -j REJECT



    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset



    As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.



    A message has been sent to the iptables mailinglist.






    share|improve this answer



























      0














      The problem is now solved and was related to iptables.



      I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:



      iptables -A INPUT -m state --state INVALID -j REJECT



      iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset



      As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.



      A message has been sent to the iptables mailinglist.






      share|improve this answer

























        0












        0








        0







        The problem is now solved and was related to iptables.



        I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:



        iptables -A INPUT -m state --state INVALID -j REJECT



        iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset



        As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.



        A message has been sent to the iptables mailinglist.






        share|improve this answer













        The problem is now solved and was related to iptables.



        I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:



        iptables -A INPUT -m state --state INVALID -j REJECT



        iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset



        As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.



        A message has been sent to the iptables mailinglist.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 20 '14 at 15:15









        Bob SauvageBob Sauvage

        1461212




        1461212



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f115665%2fsome-packets-are-flagged-as-invalid-by-iptables%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?