Enable the nf_conntrack module to avoid table full dropping

I recently received an alert from the iptables server "nf_conntrack: Table full, dropping packet .". After log analysis, the problem is finally solved. Share with you.

Problem Analysis:

Ip_conntrack is a module of Linux Nat that tracks connection entries and is related to iptables. The ip_conntrack module uses a hash table to record the TCP communication protocol's established connection records, when the hash table is full, the nf_conntrack: Table full and dropping packet errors will occur. Because the physical machine runs multiple virtual machines, the probability of the hash table being full is very high.

Solution:

There are two processing methods.

1. Modify the/etc/modprobe. d/nf_conntrack.conf configuration and disable the iptables service:

More/etc/modprobe. d/nf_conntrack.conf

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/37/C1/wKiom1OunH_ifpMcAAAxzWICCsA919.jpg "Title =" blog1.png "alt =" wkiom1ounh_ifpmcaaaxzwiccsa919.jpg "/>

Enable options nf_conntrack hashsize = 131072 to adjust the nf_conntrack table size.

Service iptables stop

Chkconfig iptables off

2. Modify the value of ip_conntrack in/etc/sysctl. conf.

Net. netfilter. nf_conntrack_max = 655350 # set the maximum number of trace connections to 655350, which increases the memory overhead.

Net. netfilter. nf_conntrack_tcp_timeout_established = 300 # Set the tracking connection to be saved for 5 hours.

Sysctl-P

3. Summary

If the firewall is qualified to be handed over to the upper-layer hardware device, it will be better to use the system firewall for tuning. If you do not need the firewall tracking function, you can enable notrack purchase with simple rules, if conditions permit, delete it.

This article is from the "System O & M" blog, please be sure to keep this source http://davidbj.blog.51cto.com/4159484/1431961