[CentOS] iptables starts blocking outbound http traffic

Neil Aggarwal neil at JAMMConsulting.com
Tue Nov 11 17:23:19 UTC 2008


Filipe:

I changed the firewall rules on the server that had stopped
responding to not use ESTABLISHED.

Now, one of the servers that was still using ESTABLISHED
stopped responding.

I am seeing logs like this in the syslog:

OUTPUT IN= OUT=eth0 SRC=[myIP] DST=[otherIP] LEN=52 TOS=0x00 PREC=0x00
TTL=64 ID=35076 DF PROTO=TCP SPT=80 DPT=36953 WINDOW=54 RES=0x00 ACK PSH FIN
URGP=0

I did:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
and it gave me: 615

That seems like the conntrack is not overflowing, but the firewall
was blocking the outbound traffic.

I updated all my servers to not use ESTABLISHED, but I am still
baffled on how this could occur.  

Any other ideas?

Thanks,
	Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.  

> You are right that your conntrack table size is high enough and this
> should not be happening. It might be an attack, a synflood or
> something, that is causing this problem to happen. In that case, the
> semi-opened connections will be kept on the table, but as the other
> side will not complete the handshake, they will only be removed from
> the table after a timeout. I also think that when you stop Apache,
> there will be no process listening on port 80 anymore, and then
> conntrack may get rid of those semi-opened connections since the other
> side is not listening anymore. A lot of especulation here, but it
> might be what is affecting you.
> 
> In any case, next time you have this same problem, considering looking
> at the counters to see if _count is reaching _max, that would confirm
> the hypothesis.



More information about the CentOS mailing list