Thomas Pedoussaut wrote:
> I came across a very strange problem.
I'm replying here to have a track in archive in case someone else has 
the same issue.
> For one of my dozen of services ( a straight TCP connection), the 
> TCP-FIN packets that are arriving on the load balancer are never passed 
> to the real server.
> I activated the logs of iptable and could see the FIN packets being dropped.
> No idea why the FIN are dropped and not the other ones. I obviously have 
> the  --state ESTABLISHED,RELATED -j ACCEPT in my iptable rules.
Basically, all packets (SYN and non-SYN) are allowed by the "--state 
NEW" iptables but not by the ESTABLISHED,RELATED, because the director 
never sees the replies from the real server and so never creates a 
conntrack for that connection.
When a FIN packet arrives, it is not validated as a --state NEW, because 
it's flag FIN is activated and so, that particular packet is dropped.

> I had a quick look at /proc/net/ip_conntrack before, during and after 
> the connection but nothing specific to that connection seems to be 
> inserted (the module is loaded and other traffic gets tracked).
So the solution is to change the iptables rule from
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $VPORT 
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport $VPORT -j ACCEPT
> Google doesn't really help. Someone had a similar problem last year but 
> was never publicly solved.
And now I hope this post will get crawled and indexed.

Thomas Pedoussaut

_______________________________________________ mailing list -
Send requests to [EMAIL PROTECTED]
or go to

Reply via email to