FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-18-2008, 04:23 PM
Masry Alex
 
Default ip_conntrack: table full, dropping packet.

I was trying to do what the article at http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.performance.html#conntrack_filling_tables
suggested

My iptables rules are

#that's what the mentioned article
suggested..I'm not sure it's working!

*raw

-A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK

COMMIT

*filter

-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp --icmp-type any -j ACCEPT

#no tracking needed for this

-A INPUT -p tcp --dport 80 -j ACCEPT

#that would be another question but I can't get rid of this while using
ssh tunneling

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#ssh port

-A INPUT -p tcp --dport 12345 -j ACCEPT

#my ip

-A INPUT -s 123.123.123.123 -j ACCEPT

-A INPUT -j DROP

-A FORWARD -j DROP

COMMIT

I keep getting these messages on my kernel log

Apr 13 20:00:41 server kernel: ip_conntrack:
table full, dropping packet.

Apr 15 14:23:29 server kernel: ip_conntrack: table full, dropping
packet.

Apr 15 20:19:04 server last message repeated 2 times

Apr 16 13:53:58 server kernel: ip_conntrack: table full, dropping
packet.

Apr 17 19:05:32 server last message repeated 3 times

Apr 17 21:20:43 server kernel: ip_conntrack: table full, dropping
packet.

is there a way to completely disable
ip_conntrack ?









_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-18-2008, 04:55 PM
John R Pierce
 
Default ip_conntrack: table full, dropping packet.

Masry Alex wrote:

is there a way to completely disable ip_conntrack ?


without connection tracking, NAT simply won't work.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-18-2008, 06:18 PM
Florin Andrei
 
Default ip_conntrack: table full, dropping packet.

John R Pierce wrote:

Masry Alex wrote:

is there a way to completely disable ip_conntrack ?


without connection tracking, NAT simply won't work.


With recent kernels, it is possible to do 1:1 NAT (mapping one private
address to exactly one public IP alias on the external interface)
without netfilter, but using iproute instead.

It will not work for other kinds of NAT, only for 1:1 mapping.

I forgot the details, but you'll have to build and install the most
recent stable kernel, and probably also update the iproute and iptables
packages to the most recent stable releases. And then you can do 1:1 NAT
with the ip utility. Because NAT is not activated in netfilter,
ip_conntrack is not required.


--
Florin Andrei

http://florin.myip.org/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-18-2008, 09:48 PM
Robert Spangler
 
Default ip_conntrack: table full, dropping packet.

On Friday 18 April 2008 12:23, Masry Alex wrote:

> #that's what the mentioned article suggested..I'm not sure it's working!
> *raw
> -A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK

Do you have a chain called NOTRACK? What is setup under it?

> COMMIT
> *filter
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icmp --icmp-type any -j ACCEPT
> #no tracking needed for this
> -A INPUT -p tcp --dport 80 -j ACCEPT
> #that would be another question but I can't get rid of this while using
> ssh tunneling
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

OK, here is your problem. The above line should be the first line in your
INPUT statement. IPTABLES reads top down so it executes the rules in the
order they are placed. Since you have '--dport 80' rule before the
'ESTABLISHED,RELATED' rule it add the address to the conntrack. Every packet
is being added to the conntrack making a bunch of tracking tracking the same
host. If 'ESTABLISHED,RELATED' were first it would check to see if the host
has already connected and allow them to continue to connect without adding
then to the tracking table every time a packet comes.

You want 'ESTABLISHED,RELATED first in all your rule chains. There is a way
around this if you want '--dport 80' before the 'ESTABLISHED,RELATED' and
that would be like this:

-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

Your rules are a mix of Stateful and Non-Stateful chose one or the other.
Preferable Stateful.


--

Regards
Robert

Smile... it increases your face value!
Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-19-2008, 03:05 AM
"Stephen John Smoogen"
 
Default ip_conntrack: table full, dropping packet.

On Fri, Apr 18, 2008 at 10:23 AM, Masry Alex <masryalex@gmail.com> wrote:
>
> I was trying to do what the article at
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.performance.html#conntrack_filling_tables
> suggested
> My iptables rules are
> ________________________________
> #that's what the mentioned article suggested..I'm not sure it's working!
> *raw
> -A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK
> COMMIT
> *filter
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icmp --icmp-type any -j ACCEPT
> #no tracking needed for this
> -A INPUT -p tcp --dport 80 -j ACCEPT
> #that would be another question but I can't get rid of this while using ssh
> tunneling
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> #ssh port
> -A INPUT -p tcp --dport 12345 -j ACCEPT
> #my ip
> -A INPUT -s 123.123.123.123 -j ACCEPT
> -A INPUT -j DROP
> -A FORWARD -j DROP
> COMMIT
> ________________________________
> I keep getting these messages on my kernel log
> ________________________________
> Apr 13 20:00:41 server kernel: ip_conntrack: table full, dropping packet.
> Apr 15 14:23:29 server kernel: ip_conntrack: table full, dropping packet.
> Apr 15 20:19:04 server last message repeated 2 times
> Apr 16 13:53:58 server kernel: ip_conntrack: table full, dropping packet.
> Apr 17 19:05:32 server last message repeated 3 times
> Apr 17 21:20:43 server kernel: ip_conntrack: table full, dropping packet.
> ________________________________
> is there a way to completely disable ip_conntrack ?

The first question is why is your box running out of connections? A
machine with 512MB can have 32768 connections in the table. If you
have more than that.. you are probably getting DOS'd or something
else. What state are the connections in? Does having SYN cookies help

It used to be that the only way to do that is to remove all
NEW,RELATED,ESTABLISHED, etc lines in your firewall and then make sure
that the conntrack and state modules didn't get loaded. I am not
familiar with the preroute rule you have so I can't say if its going
to help or not. Its usually easier to make the ip_conntrack table
bigger or figure out why the system is getting dossed.

http://www.wallfire.org/misc/netfilter_conntrack_perf.txt

#that's what the mentioned article suggested..I'm not sure it's working!
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 12345 -j ACCEPT
-A INPUT -m state --state NEW -s 123.123.123.123 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

##
## No tracking
#that's what the mentioned article suggested..I'm not sure it's working!
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 12345 -j ACCEPT
-A INPUT -s 123.123.123.123 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

##
## /etc/sysctl.conf
##
sys.net.ipv4.netfilter.ip_conntrack_max=32768 # 512 MB
sys.net.ipv4.netfilter.ip_conntrack_buckets=4096 # 512 MB

##
##
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 06:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org