[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: iptables conntrack: packets not matching a rule occasionally?

Hello,


echo 110000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

110000: put a number suited for your system.

I think this should solve the problem ... can you tell to us if this works
please?

Sorry for my bad English.
Saludos. Pablo.


# -----Mensaje original-----
# De: Marc Schiffbauer [mailto:marc@schiffbauer.net]
# Enviado el: Miércoles, 08 de Agosto de 2007 07:03 a.m.
# Para: debian-isp@lists.debian.org
# Asunto: Re: iptables conntrack: packets not matching a rule occasionally?
# 
# * Håkon Alstadheim schrieb am 07.08.07 um 23:21 Uhr:
# > Marc Schiffbauer wrote:
# > >* Héctor González schrieb am 01.08.07 um 16:49 Uhr:
# > >
# > >>You might try a rule to match "state INVALID", and see if it catches
# > >>them.  It might be someone probing your firewall.
# > >>
# > >
# > >makes sense. The new rule matches those packets indeed.
# > >
# > >Seems like I did not pay enough attention to the TCP flags.
# > >
# > >
# > Conntrack has a timeout and a limit to the max number of connections it
# > can remember. I believe it can be adjusted with some setting in /proc or
# > somewhere. Check the documentation in /usr/src/linux/Documentation.
# > Anyway, really slow/long-lived web sessions might get caught as invalid
# > because of this.
# 
# Sorry I did not mention that I had a look at these values. I think
# the default values are ok for http traffic, right?
# 
# host:~# for f in /proc/sys/net/ipv4/netfilter/ip_conntrack_*; do
# > echo "$f: $(cat $f)"
# > done
# /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets: 8192
# /proc/sys/net/ipv4/netfilter/ip_conntrack_count: 712
# /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout: 600
# /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout: 30
# /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid: 0
# /proc/sys/net/ipv4/netfilter/ip_conntrack_max: 65536
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal: 0
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose: 3
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans: 3
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close: 10
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait: 60
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established: 432000
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait: 120
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack: 30
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans: 300
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv: 60
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent: 120
# /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait: 120
# /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout: 30
# /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream: 180
# host:~#
# 
# -Marc
# --
# 8AAC 5F46 83B4 DB70 8317  3723 296C 6CCA 35A6 4134
#
Reply to: