[CentOS] ip_conntrack: table full, dropping packet.

Sat Apr 19 03:05:45 UTC 2008
Stephen John Smoogen <smooge at gmail.com>

On Fri, Apr 18, 2008 at 10:23 AM, Masry Alex <masryalex at gmail.com> wrote:
>
>  I was trying to do what the article at
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.performance.html#conntrack_filling_tables
> suggested
>  My iptables rules are
>  ________________________________
> #that's what the mentioned article suggested..I'm not sure it's working!
>  *raw
>  -A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK
>  COMMIT
>  *filter
>  -A INPUT -i lo -j ACCEPT
>  -A INPUT -p icmp --icmp-type any -j ACCEPT
>  #no tracking needed for this
>  -A INPUT -p tcp --dport 80 -j ACCEPT
>  #that would be another question but I can't get rid of this while using ssh
> tunneling
>  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>  #ssh port
>  -A INPUT -p tcp --dport 12345 -j ACCEPT
>  #my ip
>  -A INPUT -s 123.123.123.123 -j ACCEPT
>  -A INPUT -j DROP
>  -A FORWARD -j DROP
>  COMMIT
>  ________________________________
> I keep getting these messages on my kernel log
>  ________________________________
> Apr 13 20:00:41 server kernel: ip_conntrack: table full, dropping packet.
>  Apr 15 14:23:29 server kernel: ip_conntrack: table full, dropping packet.
>  Apr 15 20:19:04 server last message repeated 2 times
>  Apr 16 13:53:58 server kernel: ip_conntrack: table full, dropping packet.
>  Apr 17 19:05:32 server last message repeated 3 times
>  Apr 17 21:20:43 server kernel: ip_conntrack: table full, dropping packet.
>  ________________________________
> is there a way to completely disable ip_conntrack ?

The first question is why is your box running out of connections? A
machine with 512MB can have 32768 connections in the table. If you
have more than that.. you are probably getting DOS'd or something
else. What state are the connections in? Does having SYN cookies help

It used to be that the only way to do that is to remove all
NEW,RELATED,ESTABLISHED, etc lines in your firewall and then make sure
that the conntrack and state modules didn't get loaded. I am not
familiar with  the preroute rule you have so I can't say if its going
to help or not. Its usually easier to make the ip_conntrack table
bigger or figure out why the system is getting dossed.

http://www.wallfire.org/misc/netfilter_conntrack_perf.txt

#that's what the mentioned article suggested..I'm not sure it's working!
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 12345 -j ACCEPT
-A INPUT -m state --state NEW -s 123.123.123.123 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

##
## No tracking
#that's what the mentioned article suggested..I'm not sure it's working!
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 12345 -j ACCEPT
-A INPUT -s 123.123.123.123 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

##
## /etc/sysctl.conf
##
sys.net.ipv4.netfilter.ip_conntrack_max=32768    # 512 MB
sys.net.ipv4.netfilter.ip_conntrack_buckets=4096 # 512 MB

##
##
-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"