[CentOS] ip_conntrack: table full, dropping packet.

Masry Alex

masryalex at gmail.com
Fri Apr 18 16:23:31 UTC 2008


I was trying to do what the article at 
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.performance.html#conntrack_filling_tables 
<http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.performance.html#conntrack_filling_tables%3C/blockquote%3E%3C/div%3E> 
suggested
My iptables rules are
------------------------------------------------------------------------
#that's what the mentioned article suggested..I'm not sure it's working!
*raw
-A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK
COMMIT
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
#no tracking needed for this
-A INPUT -p tcp --dport 80 -j ACCEPT
#that would be another question but I can't get rid of this while using 
ssh tunneling
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#ssh port
-A INPUT -p tcp --dport 12345 -j ACCEPT
#my ip
-A INPUT -s 123.123.123.123 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
------------------------------------------------------------------------
I keep getting these messages on my kernel log
------------------------------------------------------------------------
Apr 13 20:00:41 server kernel: ip_conntrack: table full, dropping packet.
Apr 15 14:23:29 server kernel: ip_conntrack: table full, dropping packet.
Apr 15 20:19:04 server last message repeated 2 times
Apr 16 13:53:58 server kernel: ip_conntrack: table full, dropping packet.
Apr 17 19:05:32 server last message repeated 3 times
Apr 17 21:20:43 server kernel: ip_conntrack: table full, dropping packet.
------------------------------------------------------------------------
is there a way to completely disable ip_conntrack ?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20080418/9f249c3f/attachment.html>


More information about the CentOS mailing list