LinuxSA Mailing list archives

Index: [thread] [date] [subject] [author] [stats]

  From: Alan Kennington <akenning@topology.org>
  To  : LinuxSA <linuxsa@linuxsa.org.au>
  Date: Mon, 2 Jul 2001 19:09:52 +0930

spurious iptables "untracked packet" problem

Has anyone else experienced a surprising number of
"untracked" packet rejections by iptables for no obvious reason?

Here's an example from my log file:

=================================================
May 14 18:05:16 dog kernel: NAT: 0 dropping untracked packet c4f06c00 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:16 dog kernel: NAT: 0 dropping untracked packet c08439e0 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:16 dog kernel: NAT: 0 dropping untracked packet c4f06c00 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:16 dog kernel: NAT: 0 dropping untracked packet c08439e0 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:16 dog kernel: NAT: 0 dropping untracked packet c4f13640 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:25 dog kernel: NAT: 0 dropping untracked packet c08439e0 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:25 dog kernel: NAT: 0 dropping untracked packet c4f13640 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:25 dog kernel: NAT: 0 dropping untracked packet c4f067a0 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:25 dog kernel: NAT: 0 dropping untracked packet c08439e0 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:25 dog kernel: NAT: 0 dropping untracked packet c4f13640 1 139.130.140.1 -> 139.130.140.14
 May 14 18:05:25 dog kernel: NAT: 0 dropping untracked packet c4f067a0 1 139.130.140.1 -> 139.130.140.14
==================================================

This has the effect of rejecting about 90% of ping reply packets
coming into my network under certain circumstances.
(Like when the Bigpond Cisco router goes into a wierd modem
retraining cycle which I reported here in early 1999.
I kludged that away by writing a script to detect the problem
and reset the modem. But now the iptables is dropping the packets
that my software needs to diagnose the problem!)

If anyone else has seen excessive and undesirable "untracked packet" rejections
with iptables, and if you have any clues on how to get rid of the
problem, please let me know.

My attempts to track this through the kernel are here:
http://www.topology.org/linux/untracked.html
This is taking me longer than I expected.

I can see that iptables treats each ping packet as belonging to
a "connection" defined by the type, id and code of the ICMP packet.
It then rejects ping packets that belong to a never-before-seen
"connection". This normally results in no rejections at all.
But quite often, it does happen, and it very badly affects my system,
making it impossible to correct certain kinds of malfunction at
the [external] modem level.

By the way, the ``0'' above means "local_in". The ``1'' means ICMP.

About 99% of the packets which I see dropped in this way are ICMP.
The rest are TCP. Personally, I think that dropping unmatched ICMP
packets is a little overzealous - especially if there's no
clear way to turn this checking off.

Cheers,
Alan Kennington. 

--------------------------------------------------------------------
    name: Dr. Alan Kennington
  e-mail: akenning@topology.org
 website: http://www.topology.org/
    city: Adelaide, South Australia
timezone: UTC+0930 http://www.topology.org/timezone.html
 pgp-key: http://www.topology.org/key_ak2.asc

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject

Index: [thread] [date] [subject] [author] [stats]

Return to the LinuxSA Mailing List Information Page