Nf_conntrack: table full, dropping packet. Final

Nf_conntrack: table full, dropping packet. Final

"The connection trace table is full and packet loss starts "! I believe many people who use iptables will see this error message, which has plagued me for a long time. There are four solutions to this problem (nf_conntrack is named ip_conntrack in CentOS 5/kernel <= 2.6.19 ):

1. Disable the firewall. Simple, crude, and effective

chkconfig iptables off chkconfig ip6tables off service iptables stop service ip6tables stop  

Remember: Do not use the iptables command (for example, iptables-nL) to view the current status when the firewall is disabled! This causes the firewall to be started and the rule is empty. Although there will be no interception effect, all connection statuses will be recorded, which wastes resources and affects performance and may cause firewall packet loss!

2. Increase the firewall tracking table size and optimize the corresponding system parameters

1. Set the maximum number of rows in the state tracking table. The theoretical maximum value is CONNTRACK_MAX = RAMSIZE (in bytes)/16384/(ARCH/32)

Taking a 64-bit 64-GB operating system as an example, CONNTRACK_MAX = 64*1024*1024*1024/16384/2 = 2097152

To take effect immediately, execute:

sysctl –w net.netfilter.nf_conntrack_max = 2097152 

2. the hash table size is usually 1/8 of the total table, and the maximum is 1/2. CONNTRACK_BUCKETS = CONNTRACK_MAX/8

For 64-bit 64-bit operating systems of the same 64 GB, the optimal hash range is 262144 ~ 1048576.

Run the sysctl net. netfilter. nf_conntrack_buckets command to check the running status, and set it through the file/sys/module/nf_conntrack/parameters/hashsize.

Or create/etc/modprobe. d/iptables. conf and reload the module:

options nf_conntrack hashsize = 262144

3. Some Related System Parameters 'sysctl-a | grep nf_conntrack' can be optimized (/etc/sysctl. conf ):

net.netfilter.nf_conntrack_max  =   1048576  net.netfilter.ip_conntrack_tcp_timeout_established  =   3600  net.netfilter.nf_conntrack_tcp_timeout_close_wait  =   60  net.netfilter.nf_conntrack_tcp_timeout_fin_wait  =   120  net.netfilter.nf_conntrack_tcp_timeout_time_wait  =   120 

3. Use the tracking table to add the "Do Not trace" identifier. The following example is more suitable for desktop systems or random servers. It enables the connection status mechanism to facilitate external communication. Modify the/etc/sysconfig/iptables file:

* Raw # disable tracing for TCP connections, solve the Problem of connection failure caused by full ip_contrack-a prerouting-p tcp-m tcp -- dport 80-j NOTRACK-a prerouting-p tcp-m tcp -- dport 22-j NOTRACK- PREROUTING-p tcp-m tcp -- dport 21-j NOTRACK-a prerouting-p tcp-m tcp -- dport 11211-j NOTRACK-a prerouting-p tcp-m tcp -- dport 60000: 60100-j NOTRACK-a prerouting-p tcp-s 192.168.10.1-j NOTRACK-a output-p tcp-m tcp -- sport 80-j NOTRACK-a output-p tcp-m tcp -- sport 22-j NOTRACK-a output-p tcp-m tcp -- sport 21-j NOTRACK-a output-p tcp-m tcp -- sport 11211-j NOTRACK-a output- p tcp-m tcp -- sport 60000: 60100-j NOTRACK-a output-p tcp-s 192.168.10.1-j notrack commit * filter # Allow ping-a input-p icmp-j ACCEPT # Allow Local Circuits and 5th NICs -a input-I lo-j ACCEPT-a input-I eth4-j ACCEPT # connection status tracking, the ESTABLISHED connection allows data transmission-a input-m state -- state ESTABLISHED, RELATED, INVALID, UNTRACKED-j ACCEPT # The filter table exists but does not exist in raw, by default, connection status tracking-a input-s 192.168.10.31-p tcp -- dport 2669-j ACCEPT-a input-j REJECT -- reject-with icmp-host-prohibited-a forward- j REJECT -- reject-with icmp-host-prohibited COMMIT

Or close the trace for all connections without tracking any connection status. However, the rules are more rigorous, and all inbound and outbound requests must be explicitly stated. Example/etc/sysconfig/iptables:

* Raw # disable tracing for TCP/UDP connections, solve the problem that nf_contrack is full and cannot be connected-a prerouting-p tcp-j NOTRACK-A PREROUTING-p udp-j NOTRACK-A OUTPUT-p tcp-j NOTRACK-A OUTPUT-p udp-j NOTRACKCOMMIT * filter # Allow ping-a input-p icmp-j ACCEPT # Allow local loop and eth1-a input-I lo-j ACCEPT-A INPUT-I eth1-j ACCEPT # Only allow qualified -a input-p tcp -- dport 22-j ACCEPT-A INPUT-p tcp -- sport 80-j ACCEPT-A INPUT-p udp -- sport 53-j ACCEPT-A INPUT-p udp -- sport 123-j ACCEPT # outgoing packets are not limited-a output-p tcp-j ACCEPT-A OUTPUT-p udp-j ACCEPT # The input and forwarded packets do not comply with the rules full interception-a input-j REJECT -- reject-with icmp-host-prohibited-a forward-j REJECT -- reject-with icmp-host-prohibitedCOMMIT

The effect is as follows:

4. Delete the connection tracking module 'lsmod | grep nf_conntrack'. Do not use the connection status tracking function.

1. Delete nf_conntrack and related dependency modules, for example:

rmmod nf_conntrack_ipv4 rmmod nf_conntrack_ipv6 rmmod xt_state rmmod xt_CT rmmod xt_conntrack rmmod iptable_nat rmmod ipt_REDIRECT rmmod nf_nat rmmod nf_conntrack

2. Disable the tracking module and add it to the blacklist (/etc/modprobe. d/blacklist. conf ):

# Disable the nf_conntrack module blacklist nf_conntrack blacklist nf_conntrack_ipv6 blacklist xt_conntrack blacklist using blacklist xt_state blacklist iptable_nat blacklist ipt_REDIRECT blacklist nf_nat blacklist nf_conntrack_ipv4

3. Remove all status-related configurations (such as the state and NAT functions) in the firewall. For example:

* Filter # Allow ping-a input-p icmp-j ACCEPT # Allow Local Circuits and 2nd NICs-a input-I lo-j ACCEPT-a input-I eth1-j ACCEPT # Allow Port-a input-p tcp -- dport 1331-j ACCEPT # Allow IP address-a input-s 192.168.10.31-j ACCEPT # Allow Local Machine to perform DNS query-a input- p udp -- sport 53-j ACCEPT-A OUTPUT-p udp-j ACCEPT-A INPUT-j REJECT -- reject-with icmp-host-prohibited-a forward-j REJECT -- reject-with icmp- host-prohibited COMMIT

In addition, it is recommended that you change the configuration file of the firewall. Do not load any additional modules (/etc/sysconfig/iptables-config ):

IPTABLES_MODULES = "" # no additional module is required. IPTABLES_MODULES_UNLOAD = "no" # After iptables is restarted, the parameters in sysctl are reset to the default value IPTABLES_SAVE_ON_STOP = "no" IPTABLES_SAVE_ON_RESTART =" IPTABLES_SAVE_COUNTER = "no" IPTABLES_STATUS_NUMERIC = "yes" IPTABLES_STATUS_VERBOSE = "no" IPTABLES_STATUS_LINENUMBERS = "no"

We often track connections based on the Operating System (netstat/ss), and the firewall connection status is completely produced by its own implementation.

Conclusion: It is better to deliver the firewall to the upper-layer devices if necessary. You must use the firewall for tuning. If you do not need the tracing function of the firewall, you can enable the NOTRACK option with simple rules, delete it if conditions permit!

This article permanently updates the link address: