Iptables's Conntrack table full makes it slow to visit the site

Phenomenon: Suddenly found that access to the site is very slow, the server's CPU, memory and disk usage is normal

Analysis process and Solution: query/var/log/message log found such a record "Ip_conntrack table full dropping packet". Kernel use the Ip_conntrack module to record the status of the Iptables network packet and save it to the table (this table in memory), if the network is busy, such as high connection, high concurrent connection will lead to gradually occupy this table free space, the General tab Le very big not easy to fill up and can clean up themselves, table records will stay in the table to occupy space until the source IP sent a RST packet, but if there is an attack, the wrong network configuration, the problem of routing/router, the problem of the network card and so on, will cause the source IP sent this RST Package can not receive, so accumulated in the table, the more accumulation until the full, full after the iptables will lose the packet, the outside can not connect the server situation.

Solution: Iptables initiates the value of the current buckets and Conntrack_max in the log and how much memory each trace connection consumes:

This means that 304MB of memory will support 1,048,576 track connection records, so you need to configure the appropriate values according to the size of the server's memory.

Permanently modify Ip_conntrack_max and Hashsize

1 increase Ip_conntrack_max (set to 2^20, default value is 2^16=65536)

# vi/etc/sysctl.conf

Net.ipv4.ip_conntrack_max = 1048576

2) Increase hashsize (in i386 architecture, Hashsize = CONNTRACK_MAX/8)

# vi/etc/modprobe.conf

Options Ip_conntrack hashsize=131072

Then restart the Iptables service, and in messages you can see that the parameters are in effect:

# Service Iptables Restart