Sunday, August 26, 2012

How to Control the Iptables ip_conntrack: table full, dropping packet ?

    If Linux server handle lots of connections, then you get the problem with ip_conntrack iptables module. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size.

To View Current Limit :   

# sysctl net.ipv4.netfilter.ip_conntrack_max
   8192
or
# cat /proc/sys/net/ipv4/ip_conntrack_max
   8192

To increase the Limit:

  Generally, the ip_conntrack_max is set to the total MB of RAM installed multiplied by 16. If you have  2GB of RAM, then ip_conntrack_max was set to 32768
# sysctl -w net.ipv4.netfilter.ip_conntrack_max=32768

Or we can add in /etc/sysctl.conf

net.ipv4.netfilter.ip_conntrack_max=32768

To View Current Open Session:

# wc -l /proc/net/ip_conntrack

  2520 /proc/net/ip_conntrack

No comments:

Post a Comment