[CentOS] ip_conntrack table filling up, dropping packets

Matt Shields mattboston at gmail.com
Fri Jun 15 21:25:31 UTC 2007


If your server isn't having a problem, then why not bump up the
conntrack number?  I've bumped mine up to 2097152.  I can't remember
where, but I remember reading a pdf article on iptables and how many
connections a specific server with X amount of CPU's and X amount of
memory can handle.

[root at firewall1 ~]# cat /proc/sys/net/ipv4/ip_conntrack_max
2097152

-matt

On 6/15/07, Michael Calizo <mike.calizo at gmail.com> wrote:
> Hi Michelson, I have that problem also on one of my FW box. What i did is i
> created a cronjob that reload the iptables rule. In this case you dont drop
> any connections and you dont need to reboot your box. So far its working on
> our production deployed FW.
>
> Note: You need to find out how frequent you do this on a weeks.
>
> Cheers!
>
>
> On 6/12/07, yossarian1 at gmail.com <yossarian1 at gmail.com> wrote:
> > Hi, my ip_conntrack table is filling up and now my server is dropping
> > packets. I'm running CentOS release 4.4 (Final) on a fairly busy
> > webserver.  The table is full of various connections, including a lot
> > of "ESTABLISHED" tcp connections from my webserver (the src is my
> > webserver ip), and some other random connections to my webserver, and
> > many "ASSURED" connections.  So why is it filling up? I changed the
> > default timeout value like so:
> >
> > echo 36000 >
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
> >
> > but I don't think that's had any effect. any thoughts? what additional
> > info can I provide that would be helpful?    I did find a script that
> > clears out some of the stale connections using hping2, but I don't
> > know if that's really a great solution to this problem.
> >
> > cat  /proc/sys/net/ipv4/ip_conntrack_max     # 34576
> >
> > after cleaning out the ip_conntrack table using an hping2 script:
> > cat /proc/net/ip_conntrack | wc -l         # 3702     --  this number
> > was around 34000 before I cleared it out because it was dropping
> > packets. rebooting the machine, of course, clears it out.
> >
> >
> > I've spent many hours banging my head against the wall trying to
> > figure this out, reading in google groups and in various forums, to no
> > avail.   My webserver does send out emails to a few thousand
> > registered users (if they opt it for the email) every day.
> >
> > Thank you for your time!  I hope I sent this to the right list.  This
> > looked like the right one.  Sorry in advance if I made a mistake.
> >
> > Michelson
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
>
>
> --
> Mike Calizo
> Registered Linux User # 365113
>
> _________________________________________________
> Even the longest journey has to start with a small first-step
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>



More information about the CentOS mailing list