This icmp sss.ttt.uuu.vvv -> aaa.bbb.ccc.ddd should be related to tcp aaa.bbb.ccc.ddd -> www.xxx.yyy.zzz.
I don't know whethere it's important to have '--state RELATED' somewhere in your previous rules to catch this (I doubt it as this kind of icmp is an integral part of the ip communication so it's always related) _or_ mayne it's because this tcp segment was fragmented and there was no sport/dport info for iptables to determine which conn it was related to... Ramin On Mon, Feb 25, 2002 at 01:51:47PM +0100, Axel Rau wrote: > Hi all, > > Sorry if this has been discussed earlier. > > I'm getting log entries like: > > Feb 24 20:23:47 GW1 kernel: IPT=FORWARD/INV IN=xxx OUT=yyy > SRC=sss.ttt.uuu.vvv DST=aaa.bbb.ccc.ddd LEN=56 TOS=0x00 PREC=0x00 > TTL=237 ID=36639 DF PROTO=ICMP TYPE=3 CODE=13 [SRC=aaa.bbb.ccc.ddd > DST=www.xxx.yyy.zzz LEN=80 TOS=0x00 PREC=0x00 TTL=48 ID=61117 FRAG:64 > PROTO=TCP ] > > These packets are catched by: > -m state --state INVALID -j log-and-drop-FORWARD-invalid > > What is wrong with these packets? > > Axel > > Computing @ Chaos Claudius -Motivation by consistency: Cocoa > Axel Rau, Frankfurt, Germany Phone:49-69-951418-0, Fax: -55 > email:[EMAIL PROTECTED],Mime ok,MS-Word-documents only as HTML >
