I got a little problem with my squid/dansguardian proxy :

I got some packets dropped sometimes on my firewall located between my main network (eth1) the dmz with my proxy (eth0) and the internet.

The packets are going from the clients to the proxy, logged like this:

[FORWARD INVALID DROP]: IN=eth1 OUT=eth0 SRC=clients_ip DST=proxy_ip LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=57798 DF PROTO=TCP SPT=4619 DPT=3128 WINDOW=65217 RES=0x00 ACK FIN URGP=0

and i'm using this to log especially invalid packets:

iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix '[FORWARD INVALID DROP]: ' --log-level info
iptables -A FORWARD -m state --state INVALID -j DROP

It doesn't occurs all the time, just sometimes, and the clients seems to be able to browse the internet without problems, but i still got something like 600 drops a day for a networks not using the internet so much.

I don't understand why conntrack mark these packets as invalid...if anybody got an idea.

ps : it does the same thing with squid in a standalone configuration (without dansguardian).