Hi all - I’m using the latest version of nginx 6 and recently put
iptables in place.
I am seeing a significant number of matches for the following iptables
rule:
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix
INPUT-BAD-PACKET:
iptables -A INPUT -m state --state INVALID -j DROP
Before it is suggested that perhaps the server is under attack, I am
fairly well certain it is not. A great summary of the problem I am
seeing is here: IPTables: Upto 30,000 Invalid packets logged per week - Linux, Unix, and *nix like Operating Systems forum at WebmasterWorld - WebmasterWorld .
My situation is very much the same as described in that article,
including the original posters view that there is no way that was
happening as the result of an attack. Also like the original posted, my
rate is very high relatively speaking. Seems like about nearly 1 out of
every 100 visitors triggers this bad state issue.
If you scroll to near the bottom of that page you will find some
conclusions that the invalid state of the packet was likely coming from
bad checksums.
Occasionally (but a lot less than the INPUT rule) I see the same type of
issue with OUTPUT, specifically from this rule:
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix
OUTPUT-BAD-PACKET:
iptables -A OUTPUT -m state --state INVALID -j DROP
Also like the original posted, the problem seems to occur a few minutes
AFTER successfully serving them a web page. For instance if I take the
IP from a failed bad state log on the INPUT rule and look through the
nginx log files, I will see a successful 200 status code in the logs
where the page was served a couple minutes BEFORE the bad state
occurred. In case it matters I am using nginx with proxy_pass to serve
content.
A few questions please:
-
Is it possible something with nginx is contributing to this?
-
Am I correct to assume that I might as well DROP the packets anyway?
For now I changed my config to just log the error but not drop the
packet, just out of fear that perhaps this rule is dropping packets that
there is nothing wrong with and causing more harm then good. But it
seems that if the packets are indeed bad I might as well drop them… ? -
If the answer to #2 is that I might as well drop them, should I use
REJECT instead of DROP? In case it matters this is only affecting http
traffic on port 80. -
How worried should I be about this issue? Is it just a matter of the
Internet that there are going to be errored packets and that “out of
sight, out of mind” is better (before installing iptables of course I
had no way to know of this problem, yet everything still seems to be
working ok). -
Any tips on how I can go about tracking this down further?
Thanks!!