On Fri, Apr 18, 2008 at 10:23 AM, Masry Alex <masryalex at gmail.com> wrote: > > I was trying to do what the article at > http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.performance.html#conntrack_filling_tables > suggested > My iptables rules are > ________________________________ > #that's what the mentioned article suggested..I'm not sure it's working! > *raw > -A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK > COMMIT > *filter > -A INPUT -i lo -j ACCEPT > -A INPUT -p icmp --icmp-type any -j ACCEPT > #no tracking needed for this > -A INPUT -p tcp --dport 80 -j ACCEPT > #that would be another question but I can't get rid of this while using ssh > tunneling > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > #ssh port > -A INPUT -p tcp --dport 12345 -j ACCEPT > #my ip > -A INPUT -s 123.123.123.123 -j ACCEPT > -A INPUT -j DROP > -A FORWARD -j DROP > COMMIT > ________________________________ > I keep getting these messages on my kernel log > ________________________________ > Apr 13 20:00:41 server kernel: ip_conntrack: table full, dropping packet. > Apr 15 14:23:29 server kernel: ip_conntrack: table full, dropping packet. > Apr 15 20:19:04 server last message repeated 2 times > Apr 16 13:53:58 server kernel: ip_conntrack: table full, dropping packet. > Apr 17 19:05:32 server last message repeated 3 times > Apr 17 21:20:43 server kernel: ip_conntrack: table full, dropping packet. > ________________________________ > is there a way to completely disable ip_conntrack ? The first question is why is your box running out of connections? A machine with 512MB can have 32768 connections in the table. If you have more than that.. you are probably getting DOS'd or something else. What state are the connections in? Does having SYN cookies help It used to be that the only way to do that is to remove all NEW,RELATED,ESTABLISHED, etc lines in your firewall and then make sure that the conntrack and state modules didn't get loaded. I am not familiar with the preroute rule you have so I can't say if its going to help or not. Its usually easier to make the ip_conntrack table bigger or figure out why the system is getting dossed. http://www.wallfire.org/misc/netfilter_conntrack_perf.txt #that's what the mentioned article suggested..I'm not sure it's working! *filter -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state NEW -p icmp --icmp-type any -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 12345 -j ACCEPT -A INPUT -m state --state NEW -s 123.123.123.123 -j ACCEPT -A INPUT -j DROP -A FORWARD -j DROP COMMIT ## ## No tracking #that's what the mentioned article suggested..I'm not sure it's working! *filter -A INPUT -i lo -j ACCEPT -A INPUT -p icmp --icmp-type any -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 12345 -j ACCEPT -A INPUT -s 123.123.123.123 -j ACCEPT -A INPUT -j DROP -A FORWARD -j DROP COMMIT ## ## /etc/sysctl.conf ## sys.net.ipv4.netfilter.ip_conntrack_max=32768 # 512 MB sys.net.ipv4.netfilter.ip_conntrack_buckets=4096 # 512 MB ## ## -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"