Workaround:
1. Change the Ip_conntrack size
#/etc/sysctl.conf
centos5.x:
Modprobe Ip_conntrack
Sysctl-w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=10800
Sysctl-w net.ipv4.netfilter.ip_conntrack_max=655350
centos6.x:
Nf_conntrack_ipv4
Sysctl-w net.netfilter.nf_conntrack_max=655350
Sysctl-w net.netfilter.nf_conntrack_tcp_timeout_established=1800
# Sysctl-p Make it effective
When the rules are re-applied, the modules that have already been loaded are emptied, so every time iptables restarts, it is necessary to perform a sysctl-p,ip_conntrack full of hidden dangers.
2. Do not load the Ip_conntrack/nf_conntrack module
Modifying the/etc/sysconfig/iptables-config configuration file
# Vim/etc/sysconfig/iptables-config
Iptables_modules= ""
/etc/sysconfig/iptables do not configure the status of the rules, such as:
-A input-m state--state related,established-j ACCEP
This article is from the "Linuxdream" blog, make sure to keep this source http://books.blog.51cto.com/2600359/1678841
Kernel:ip_conntrack:table full, dropping packet.