On Apr 5, 2013, at 11:29, Daniel Curtis <[email protected]> wrote:
> Hi Matthew > > How can I use Reverse Path filtering in the kernel? You > mean this option, right?; /proc/sys/net/ipv4/conf/*/rp_filter > Yes, this is what I am referring to. I would double check the documentation to see if there are other settings to switch for RP filtering. > Sorry, but I do not understand how to drop "out of state" > packets with the INVALID rules. > Like you had before -A INPUT -conntrac.... I know iptables -A INPUT -m state --state INVALID -j DROP works well. And it does pick out invalid (aka out of state) UDP packets. DNS is one additional example. > My logs: > > Apr 5 17:18:18 t4 kernel: [13107.296065] INVALID OUT: IN= > OUT=eth0 SRC=192.168.5.200 DST=173.194.44.32 LEN=446 > TOS=0x00 PREC=0x00 TTL=64 ID=36621 DF PROTO=TCP > SPT=59041 DPT=443 WINDOW=14600 RES=0x00 ACK PSH > FIN URGP=0 > > Apr 5 15:29:40 t4 kernel: [ 6589.698710] INVALID IN: IN=eth0 > OUT= MAC=mac_address_ SRC=173.194.44.32 DST=192.168.5.200 > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=40504 PROTO=TCP > SPT=443 DPT=56236 WINDOW=0 RES=0x00 RST URGP=0 > > and so on... Is there something wrong, strange? > Maybe, maybe not.
