Some packets are flagged as INVALID by iptables
Clash Royale CLAN TAG#URR8PPP
I configured a proxypass rule in order to redirect requests from the port 443 to a JBoss server running on port 8080.
All works fine except some 503 errors in the Apache log, around 10 per day:
In the error log:
[error] (111)Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed
In the access log, I've a corresponding 503 error. Nothing in my JBoss log.
For each error, coincide a packet flagged as invalid in the kernel log. I performed a tcpdump and for each invalid packet, it was a tcp SYN from the proxy to the JBoss server.
Why these packets are flagged as invalid ? Is that a serious problem ? Can I accept all invalid packets from 127.0.0.1 to dport 8080 ?
networking iptables apache-httpd http-proxy jboss
edited Aug 18 '16 at 0:06
Jeff Schaller
41.7k1156133
asked Feb 18 '14 at 8:50
Bob SauvageBob Sauvage
1461212
|
show 3 more comments
I configured a proxypass rule in order to redirect requests from the port 443 to a JBoss server running on port 8080.
All works fine except some 503 errors in the Apache log, around 10 per day:
In the error log:
[error] (111)Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed
In the access log, I've a corresponding 503 error. Nothing in my JBoss log.
For each error, coincide a packet flagged as invalid in the kernel log. I performed a tcpdump and for each invalid packet, it was a tcp SYN from the proxy to the JBoss server.
Why these packets are flagged as invalid ? Is that a serious problem ? Can I accept all invalid packets from 127.0.0.1 to dport 8080 ?
networking iptables apache-httpd http-proxy jboss
edited Aug 18 '16 at 0:06
Jeff Schaller
41.7k1156133
asked Feb 18 '14 at 8:50
Bob SauvageBob Sauvage
1461212
1
I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?
– slm♦
Feb 18 '14 at 9:25
@slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/
– Bob Sauvage
Feb 18 '14 at 10:21
I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?
– Bob Sauvage
Feb 18 '14 at 10:22
My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.
– slm♦
Feb 18 '14 at 10:43
1
@slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules:iptables -A INPUT -m state --state INVALID -j REJECTandiptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.
– Bob Sauvage
Feb 19 '14 at 9:42
|
show 3 more comments
I configured a proxypass rule in order to redirect requests from the port 443 to a JBoss server running on port 8080.
All works fine except some 503 errors in the Apache log, around 10 per day:
In the error log:
[error] (111)Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed
In the access log, I've a corresponding 503 error. Nothing in my JBoss log.
For each error, coincide a packet flagged as invalid in the kernel log. I performed a tcpdump and for each invalid packet, it was a tcp SYN from the proxy to the JBoss server.
Why these packets are flagged as invalid ? Is that a serious problem ? Can I accept all invalid packets from 127.0.0.1 to dport 8080 ?
networking iptables apache-httpd http-proxy jboss
edited Aug 18 '16 at 0:06
Jeff Schaller
41.7k1156133
asked Feb 18 '14 at 8:50
Bob SauvageBob Sauvage
1461212
I configured a proxypass rule in order to redirect requests from the port 443 to a JBoss server running on port 8080.
All works fine except some 503 errors in the Apache log, around 10 per day:
In the error log:
[error] (111)Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed
In the access log, I've a corresponding 503 error. Nothing in my JBoss log.
For each error, coincide a packet flagged as invalid in the kernel log. I performed a tcpdump and for each invalid packet, it was a tcp SYN from the proxy to the JBoss server.
Why these packets are flagged as invalid ? Is that a serious problem ? Can I accept all invalid packets from 127.0.0.1 to dport 8080 ?
networking iptables apache-httpd http-proxy jboss
networking iptables apache-httpd http-proxy jboss
edited Aug 18 '16 at 0:06
Jeff Schaller
41.7k1156133
asked Feb 18 '14 at 8:50
Bob SauvageBob Sauvage
1461212
edited Aug 18 '16 at 0:06
Jeff Schaller
41.7k1156133
asked Feb 18 '14 at 8:50
Bob SauvageBob Sauvage
1461212
edited Aug 18 '16 at 0:06
Jeff Schaller
41.7k1156133
edited Aug 18 '16 at 0:06
Jeff Schaller
41.7k1156133
edited Aug 18 '16 at 0:06
Jeff Schaller
41.7k1156133
41.7k1156133
asked Feb 18 '14 at 8:50
Bob SauvageBob Sauvage
1461212
asked Feb 18 '14 at 8:50
Bob SauvageBob Sauvage
1461212
asked Feb 18 '14 at 8:50
Bob SauvageBob Sauvage
1461212
1461212
1
I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?
– slm♦
Feb 18 '14 at 9:25
@slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/
– Bob Sauvage
Feb 18 '14 at 10:21
I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?
– Bob Sauvage
Feb 18 '14 at 10:22
My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.
– slm♦
Feb 18 '14 at 10:43
1
@slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules:iptables -A INPUT -m state --state INVALID -j REJECTandiptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.
– Bob Sauvage
Feb 19 '14 at 9:42
|
show 3 more comments
1
I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?
– slm♦
Feb 18 '14 at 9:25
@slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/
– Bob Sauvage
Feb 18 '14 at 10:21
I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?
– Bob Sauvage
Feb 18 '14 at 10:22
My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.
– slm♦
Feb 18 '14 at 10:43
1
@slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules:iptables -A INPUT -m state --state INVALID -j REJECTandiptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.
– Bob Sauvage
Feb 19 '14 at 9:42
1
1
I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?
– slm♦
Feb 18 '14 at 9:25
I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?
– slm♦
Feb 18 '14 at 9:25
@slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/
– Bob Sauvage
Feb 18 '14 at 10:21
@slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/
– Bob Sauvage
Feb 18 '14 at 10:21
I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?
– Bob Sauvage
Feb 18 '14 at 10:22
I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?
– Bob Sauvage
Feb 18 '14 at 10:22
My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.
– slm♦
Feb 18 '14 at 10:43
My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.
– slm♦
Feb 18 '14 at 10:43
1
1
@slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules:
iptables -A INPUT -m state --state INVALID -j REJECT and iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.– Bob Sauvage
Feb 19 '14 at 9:42
@slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules:
iptables -A INPUT -m state --state INVALID -j REJECT and iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.– Bob Sauvage
Feb 19 '14 at 9:42
|
show 3 more comments
1 Answer
1
active
oldest
votes
The problem is now solved and was related to iptables.
I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.
A message has been sent to the iptables mailinglist.
answered Feb 20 '14 at 15:15
Bob SauvageBob Sauvage
1461212
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f115665%2fsome-packets-are-flagged-as-invalid-by-iptables%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The problem is now solved and was related to iptables.
I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.
A message has been sent to the iptables mailinglist.
answered Feb 20 '14 at 15:15
Bob SauvageBob Sauvage
1461212
add a comment |
The problem is now solved and was related to iptables.
I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.
A message has been sent to the iptables mailinglist.
answered Feb 20 '14 at 15:15
Bob SauvageBob Sauvage
1461212
add a comment |
The problem is now solved and was related to iptables.
I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.
A message has been sent to the iptables mailinglist.
answered Feb 20 '14 at 15:15
Bob SauvageBob Sauvage
1461212
The problem is now solved and was related to iptables.
I don't know why, some packets are flagged as INVALID (1/1000) when you use this kind of rules:
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
As solution, I accept all packet (even invalid) from 127.0.0.1 from/to port 8080.
A message has been sent to the iptables mailinglist.
answered Feb 20 '14 at 15:15
Bob SauvageBob Sauvage
1461212
answered Feb 20 '14 at 15:15
Bob SauvageBob Sauvage
1461212
answered Feb 20 '14 at 15:15
Bob SauvageBob Sauvage
1461212
answered Feb 20 '14 at 15:15
Bob SauvageBob Sauvage
1461212
1461212
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f115665%2fsome-packets-are-flagged-as-invalid-by-iptables%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
I would have to better understand the nature of these packets before I'd say with a blanket statement that you should just accept them. A SYN from JBoss in what context?
– slm♦
Feb 18 '14 at 9:25
@slm What do you mean by "context" ? Our customers connect to our web application through apache on port 443. These requests are forwarded to JBoss on port 8080 (127.0.0.1:xxx -> 127.0.0.1:8080). Some of these requests, perhaps 3%, result in a 503 error due to invalid TCP SYN sent to JBoss. I've added a rule in iptables in order to accept invalid packets from 127.0.0.1 to port 8080. Nevertheless, the problem remains, we have a 503 error after few seconds :/
– Bob Sauvage
Feb 18 '14 at 10:21
I performed a tcpdump and I'm now analyzing this dump with wireshark in order to understand why this packet is flagged as invalid. How can I find this information with wireshark ? Why the server doesn't send a SYN ACK ?
– Bob Sauvage
Feb 18 '14 at 10:22
My point was that JBoss doesn't just randomly start sending out SYN packets, there is some underlying context (JBoss is replying to a client due to some previous connection). Without knowing that you aren't going to get very far with help here. I mean no disrespect in that previous statement BTW. I would try and figure out what JBoss is attempting to do via it's logs here if possible. A SYN pckt typically has no payload, so there isn't going to be more to gleam from wireshark outside of JBoss is trying to talk to me.
– slm♦
Feb 18 '14 at 10:43
1
@slm Thanks for your help. The problem is now solved and was related to iptables. I don't know why, some packets are flagged as INVALID when you use this kind of rules:
iptables -A INPUT -m state --state INVALID -j REJECTandiptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset. A message has been sent to the iptables mailinglist.– Bob Sauvage
Feb 19 '14 at 9:42