[NTLUG:Discuss] ip_conntrack questions

m m llliiilll at hotmail.com
Fri Jun 9 18:52:18 CDT 2006 



>From: Leroy Tennison <leroy_tennison at prodigy.net>
>Reply-To: leroy_tennison at prodigy.net, NTLUG Discussion List 
><Discuss at ntlug.org>
>To: trryhend at gmail.com, NTLUG Discussion List <Discuss at ntlug.org>
>Subject: Re: [NTLUG:Discuss] ip_conntrack questions
>Date: Fri, 09 Jun 2006 16:48:27 -0500
>
>Terry Henderson wrote:
> > See:
> > # cat /proc/net/ip_conntrack
> >
> > The max number of connections is set in ip_conntrack_max
> >
> > # cat /proc/sys/net/ipv4/ip_conntrack_max
> >
> > I think you can increase it with:
> >
> > # echo "########" > /proc/sys/net/ipv4/ip_conntrack_max
> >
> > (Where ######## is the new number amoutn to increase to.)
> >
> >
> > On 6/9/06, m m <llliiilll at hotmail.com> wrote:
> >
> >> All:
> >>
> >> I have been run the same server (RH 6.0) for more than 6 years,
> >> Recently I get this message very often -- about every 2-3 weeks.
> >>
> >> ip_conntrack: table full, dropping packet.
> >>
> >> I even increased the MAX value.
> >> still happens every 2-3 weeks,
> >> can any one think about what's going on it?
> >> any one have quick way to flush the table without reboot?
> >>
> >> If I don't load module ip_conntrack, this problem should be go away?
> >>
> >> Thanks
> >>
> >> _________________________________________________________________
> >> Express yourself instantly with MSN Messenger! Download today - it's 
>FREE!
> >> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >>
> >>
> >> _______________________________________________
> >> http://ntlug.pmichaud.com/mailman/listinfo/discuss
> >>
> >>
> >
> >
> >
>I assume by it's name that ip_conntrack is tracking ip connections, right?
>
>If so I'm further speculating that it has to do with iptables' stateful
>inspection processing.  Right?
>

I can not answer the about 2 questions. Actually these are my questions.
I did google the web, can not get a clear picture what does the  ip_track
really for. All I know is it is a module that iptables may need to use.
as for how it is "used" by the iptables, I have no idea.
There should be some experts in the group can answer questions for us.


>If so then further speculation is that the number of connections
>attempting to be tracked is being exceeded.  If this is the case
>wouldn't we need to know more about the iptables configuration to
>determine the source of the problem?

from the what i understand is you set a MAX value for the ip_conntrack
table. this value will be the MAX row of records in the ip_conntrack table.
when the records reach the MAX value, the problem happens (like what I have)
Not sure what the  iptables configuration you are talking. my iptables 
rules?
if so, please see below:

============================
#!/bin/sh

iptables -F -v
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
     echo 1 > $f
done

iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -s 24.14.77.8 -j DROP

iptables  -v -t nat -A POSTROUTING -s 192.168.1.0/24 -j  MASQUERADE
iptables  -v -t nat -A POSTROUTING -d 212.237.96.67 -j  MASQUERADE

iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP

iptables -A PREROUTING -t nat -p tcp -d 212.237.96.67 \
                         --dport 8080 -j DNAT --to 192.168.1.1:8080
iptables -A PREROUTING -t nat -p tcp -d 212.237.96.67 \
                         --dport 80 -j DNAT --to 192.168.1.1:80
iptables -A PREROUTING -t nat -p tcp -d 212.237.96.67 \
                         --dport 81 -j DNAT --to 192.168.1.2:80
iptables -A PREROUTING -t nat -p tcp -d 212.237.96.67 \
                         --dport 25 -j DNAT --to 192.168.1.1:25
iptables -A PREROUTING -t nat -p tcp -d 212.237.96.67 \
                         --dport 21 -j DNAT --to 192.168.1.1:21

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 212.237.96.67

echo 1 >/proc/sys/net/ipv4/ip_forward
============================


>
>_______________________________________________
>http://ntlug.pmichaud.com/mailman/listinfo/discuss

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

More information about the Discuss mailing list