[CentOS] iptables starts blocking outbound http traffic
Neil Aggarwal
neil at JAMMConsulting.com
Tue Nov 11 17:23:19 UTC 2008
Filipe:
I changed the firewall rules on the server that had stopped
responding to not use ESTABLISHED.
Now, one of the servers that was still using ESTABLISHED
stopped responding.
I am seeing logs like this in the syslog:
OUTPUT IN= OUT=eth0 SRC=[myIP] DST=[otherIP] LEN=52 TOS=0x00 PREC=0x00
TTL=64 ID=35076 DF PROTO=TCP SPT=80 DPT=36953 WINDOW=54 RES=0x00 ACK PSH FIN
URGP=0
I did:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
and it gave me: 615
That seems like the conntrack is not overflowing, but the firewall
was blocking the outbound traffic.
I updated all my servers to not use ESTABLISHED, but I am still
baffled on how this could occur.
Any other ideas?
Thanks,
Neil
--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.
> You are right that your conntrack table size is high enough and this
> should not be happening. It might be an attack, a synflood or
> something, that is causing this problem to happen. In that case, the
> semi-opened connections will be kept on the table, but as the other
> side will not complete the handshake, they will only be removed from
> the table after a timeout. I also think that when you stop Apache,
> there will be no process listening on port 80 anymore, and then
> conntrack may get rid of those semi-opened connections since the other
> side is not listening anymore. A lot of especulation here, but it
> might be what is affecting you.
>
> In any case, next time you have this same problem, considering looking
> at the counters to see if _count is reaching _max, that would confirm
> the hypothesis.
More information about the CentOS
mailing list