Adamm
Part of the Furniture
You got the sequence right. My hypothesis seems to hold. Skynet is actually accepting INVALID packets that are normally dropped. Here's a better workaround command instead of the iptables delete. This will keep the whitelist active for the other chains.
Code:iptables -I logdrop -m state --state INVALID -j DROP
Thanks John! I'll give that a try and report back tomorrow....
I did install tcpdump and ran it. Hard (for me) to fully understand the output, but it is easy to see a pattern where the Amazon device looks up a DNS record, initiates a connection, gets the acknowledgement, then starts streaming. It does that for each of the "news briefing" segments. When one stalls (i.e., when Skynet is active and autoban=yes), the acknowledgement never makes it to tcpdump.... So the packet (SYN ACK?) must be getting dropped somewhere. I'd blame it on the content distribution server, except it works fine with Skynet disabled (or autoban=no). So something about how iptables is identifying those packets.
Thanks for your help, I'll check back in tomorrow with further results!
Well if the whitelist rule is the issue, that's by far the oddest one I've heard of so far. Strange how allowing some invalid packets is causing issues