Hi… I've noticed that the iptables rule "-m state --state INVALID -j DROP" applied both to INPUT and OUTPUT chains on my raspbian Tor relay drops some connections… is it normal and should I avoid dropping "—state INVALID" connections when the destination or source is the Tor process on the relay? It's strange to have them also in the outgoing chain (i.e. produced by the relay), unless its is related to how Tor works (I'm almost sure that the connections dropped by the OUTPUT rule are related to the Tor process).

It's not a matter of conntrack entries, it's using only 61 entries and has a lot of them free.

Drop log in the OUTPUT direction => why is my relay sending a packet with ACK PSH FIN flags?

iptables-OUT-INVALID-DENIED: IN= OUT=eth0 SRC=10.x.x.x DST=37.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=24372 DF PROTO=TCP SPT=33423 DPT=9001 WINDOW=321 RES=0x00 ACK PSH FIN URGP=0

Drop log in the INPUT direction => This could be a correct drop due to a new connection with RST flag, I think:

iptables-IN-INVALID-DENIED: IN=eth0 OUT= SRC=91.x.x.x DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=15754 DPT=9090 WINDOW=0 RES=0x00 RST URGP=0

Best regards, Fr33d0m4All