1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can an expert decipher "oops: invalid ct state"?

Discussion in 'Tomato Firmware' started by bangkokiscool, Nov 19, 2009.

  1. bangkokiscool

    bangkokiscool Addicted to LI Member

    About four or five times a day, my Tomato router loses connection to the Internet (WRT54GL connected to time warner cable modem). It happens for anywhere from 1-20 minutes, and then reconnects. During this time remote access is down but I can still log on to tomato from within the lan, so the router is not crashed. When I renew the connection on the WAN (overview page) the connection is restored. Here's what the logs look like typically when it happens. Can someone decode this for me?

    Nov 19 11:09:57 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:09:57 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:09:57 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:11:02 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:11:02 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:11:02 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:12:38 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:15:29 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:15:29 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:15:29 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:15:59 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:15:59 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?
    Nov 19 11:15:59 ? user.warn kernel: ipt_connlimit: Oops: invalid ct state ?

    Does this script in the firewall have anything to do with it? I've taken the script out to see if the disconnects keep happening.

    iptables -A FORWARD -p UDP -s 192.168.1.0/24 -m limit --limit 4/s -j ACCEPT
    iptables -I FORWARD -m iprange --src-range 192.168.1.50-192.168.1.250 -p ! tcp -m connlimit --connlimit-above 30 -j DROP
    iptables -I FORWARD -p tcp -m iprange --src-range 192.168.1.50-192.168.1.250 -m connlimit --connlimit-above 150 -j DROP
    iptables -I FORWARD -p tcp --dport 25 -m connlimit --connlimit-above 10 -j DROP
    iptables -I FORWARD -p tcp --dport 1:65535 -m connlimit --connlimit-above 3000 -j DROP
     
  2. roadkill

    roadkill Super Moderator Staff Member Member

    this should solve it, add it above your connlimit statement
    Code:
    iptables -A PREROUTING -t mangle -m conntrack --ctstate INVALID -j DROP
     
  3. bangkokiscool

    bangkokiscool Addicted to LI Member

    thank you!!
     

Share This Page