[snipp]
Is it possible to deactive the iptables, due the fact that a lot of the
high performance setups out there have seen that the connection tracking
with iptables have really bad performance impacts?

Hth

Aleks

Thanks for your reply. Can you elaborate on what the "really bad performance impacts" are on this?

At this point, however, I am more concerned about whether indeed there is some sort of problem with my hardware and/or software at some other place (outside of iptables) that iptables has brought to light due to its logging of this issue (which otherwise is invisible - in other words it does not seem to impact people using the site).

Thanks.

You didn't show us what was important: the log that was produced.

If the rejected packet was a ACK/FIN, then it is harmless.
On busy servers conntrack removes the connection from its table as soon as
it gets the FIN packet. When the ACK/FIN then comes, the connection is not
known and this is not a SYN. It logs it as invalid.

This could also have been a scan (nmap can trigger invalid packets too).

What kernel version are you running?
I remember that there was some issues around 2.6.23.4 about tcp reopening
in nf_conntrack, see this commit for more information:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b2155e7f70b3f058efe94c0c459db023b05057bd
It was definitely fixed around 2.6.24.3. Maybe you encounter this problem.

HTH,

I included various samples from the different types of invalid state errors at the end of this message.
About 25% of the invalid packets are of this type. Should I drop them using DROP or using RESET? How about for the other types? I take it there is no harm in dropping or rejecting these - as they are obviously bad packets anyway?

I should note that in EVERY case it appears that nginx served the content successfully and that browser got it just fine (no obvious errors), and these bad packet log messages are showing up anywhere from 2-5 minutes after the user hits the page and not part of a new request. So it seems there is some packet activity that occurs minutes after the user has left the site.
My server is not very busy (yet). It is handling about 500-1500 requests per hour and no more than a 2 or 3 concurrently at times.
I really don't think this could be a scan. I took the site live for the first time and immediately started seeing these invalid packets.
uname -a returns the following:
2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:39:36 EST 2008 i686 athlon i386 GNU/Linux

Here are some log samples. Thank you and I look forward to hearing your thoughts on this. I really appreciate your help!!
==========
Out of 436 log entries here is the break down (these are not exact counts but will give you an idea of what % are for what type of bad packet):

218 are type "ACK RST" on the INPUT chain. None of this type are for the OUTPUT chain. Examples:
--------
May 18 15:21:44 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC=x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=13770 DF PROTO=TCP SPT=1391 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0

May 18 15:17:25 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC=x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=17970 DF PROTO=TCP SPT=49671 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0
--------

110 are of type "ACK FIN". Out of this group 82 are on the INPUT chain and 28 are on the OUTPUT chain. Examples:
-------- (OUTPUT)
May 18 15:14:13 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=31199 DF PROTO=TCP SPT=80 DPT=3055 WINDOW=6432 RES=0x00 ACK FIN URGP=0

May 18 13:39:17 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=299 DF PROTO=TCP SPT=80 DPT=1157 WINDOW=6432 RES=0x00 ACK FIN URGP=0
-------- (INPUT)
May 18 15:24:08 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC==x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=25196 DF PROTO=TCP SPT=57214 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

May 18 12:58:10 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC=x.y.z.a DST=10.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=52221 DF PROTO=TCP SPT=55817 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

99 are for type "RST", out of those 22 are for the INPUT chain and 77 are for the OUTPUT chain. Examples:
-------- (OUTPUT)
May 18 10:49:15 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=19144 WINDOW=0 RES=0x00 RST URGP=0

May 18 15:35:40 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=62353 WINDOW=0 RES=0x00 RST URGP=0
-------- (INPUT)
May 18 13:54:58 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC==x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=9943 PROTO=TCP SPT=4361 DPT=80 WINDOW=0 RES=0x00 RST URGP=0


May 18 12:31:37 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC=x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=65259 PROTO=TCP SPT=12568 DPT=80 WINDOW=6432 RES=0x00 RST URGP=0


9 are for type "ACK PSH FIN". Example:
--------
May 18 02:00:03 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=29585 DF PROTO=TCP SPT=80 DPT=5178 WINDOW=54 RES=0x00 ACK PSH FIN URGP=0

-- end of message --

Futhermore here is some output from tcpdump which shows a very high rate of checksum errors in the packets:

tcpdump -s1500 -vvv port 80|grep -i incorrect
(I only ran this for a few seconds and here is what it output - at the
time I was getting requests at the rate of 1 request every 2 seconds)

16:37:22.719802 IP (tos 0x0, ttl 64, id 23246, offset 0, flags [DF],
proto TCP (6), length 693) domU-xxx > xxx.xxx.net.netclip: P, cksum
0x5fc4 (incorrect (-> 0xb52e), 26461:27114(653) ack 447 win 6432
16:37:29.492240 IP (tos 0x0, ttl 64, id 33170, offset 0, flags [DF],
proto TCP (6), length 1290) domU-xxx > xxxx.xxxx.com.57132: P, cksum
0x8131 (incorrect (-> 0x24da), 7241:8479(1238) ack 583 win 55
<nop,nop,timestamp 478987053 46606982>
16:37:30.047027 IP (tos 0x0, ttl 64, id 2132, offset 0, flags [DF],
proto TCP (6), length 89) domU-xxx > xxx.xxx.net.52956: P, cksum
0x0da0 (incorrect (-> 0x3f1d), 7241:7278(37) ack 396 win 54
<nop,nop,timestamp 478987191 384369485>
16:37:31.966523 IP (tos 0x0, ttl 64, id 14827, offset 0, flags [DF],
proto TCP (6), length 1294) domU-xxx > xxxx.xxxx.dialog-port: P,
cksum 0x1153 (incorrect (-> 0xc555), 26281:27535(1254) ack 415 win
6432
16:37:32.155399 IP (tos 0x0, ttl 64, id 39841, offset 0, flags [DF],
proto TCP (6), length 871) domU-xxx > x.y.z.a.51963: P, cksum 0xd32a
(incorrect (-> 0x9716), 26281:27112(831) ack 412 win 6432
16:37:32.636392 IP (tos 0x0, ttl 64, id 58696, offset 0, flags [DF],
proto TCP (6), length 1450) domU-xxx >
mobilexxxx.xx.x.x.llsurfup-http: ., cksum 0xe939 (incorrect (->
0x3c94), 23971:25381(1410) ack 293 win 6432
16:37:33.258956 IP (tos 0x0, ttl 64, id 58697, offset 0, flags [DF],
proto TCP (6), length 1450) domU-xxx >
mobilexxx.x.x.x.llsurfup-http: ., cksum 0xe939 (incorrect (->
0x743f), 25381:26791(1410) ack 293 win 6432
16:37:33.258963 IP (tos 0x0, ttl 64, id 58698, offset 0, flags [DF],
proto TCP (6), length 364) domU-xxx > mobilexxx.x.x.x.llsurfup-http:
P, cksum 0xe4fb (incorrect (-> 0x89ee), 26791:27115(324) ack 293 win
6432
16:37:38.080571 IP (tos 0x0, ttl 64, id 64581, offset 0, flags [DF],
proto TCP (6), length 1290) domU-xxx > x.x.x.x.x.6096: P, cksum
0x6517 (incorrect (-> 0x5f33), 7301:8551(1250) ack 465 win 6432

Hi,
I think you can drop them.
I think you really might better ask those questions on the netfilter list:
http://www.netfilter.org/mailinglists.html
There is certainly lot of people way more knowledgeable than on the nginx
list about iptables/netfilter :-)
Maybe you could tcpdump the whole traffic to analyze exactly what's
happening?
Yes, definitely not busy. Anyway, I think what I wrote still applies,
although I'm really not a netfilter expert.
You bet? I get so much automatic scans per seconds, that I don't even look
to the logs anymore :-(
It is indeed the same issue than ACK/FIN
http://lists.netfilter.org/pipermail/netfilter/2004-June/053782.html
We already talked about this one above. This could also be a Maimon scan
which uses ACK+FIN.
Hum, that one seems strange. I don't see any easy explanation.
Maybe with a full capture of the traffic you will be able to understand
what's that.
http://lists.netfilter.org/pipermail/netfilter/2005-August/062059.html

As a side note, I'm also running conntrack on my servers, and I do see
some of the ACK+FIN and ACK+RST invalid packets. I drop them and doesn't
really care: nobody ever complained :-)

Good luck :-)

Quick update: I change my nginx config from:
keepalive_timeout 30;
to
keepalive_timeout 0;

and the log entries have stopped almost completely. Prior to making this change I was getting somewhere between 1 - 10 entries per minute in the log for the bad packets (in the cases of multiples like 5-10 range often it was the same IP reporting over and over). And now that I have made the keepalive change I've gotten just 2 log entries in the past hour.

Does this give us any more insight as to the root cause of the issue?

With this in mind should I keep the keepalive at 0, or go back to the 30 setting and just don't worry about the log entries?

Thanks again!