Re: Error message change request (Sigþór Jarðarson)

Re: Error message change request (Sigþór Jarðarson)

[Frederic de Villamil]

[-- Attachment #1: Type: text/plain, Size: 1309 bytes --]

Hi netfilter-request!

On Fri, 19 Sep 2003, netfilter-request@lists.netfilter.org wrote:

> Message: 2
> From: =?iso-8859-1?q?Sig=FE=F3r_Jar=F0arson?= <cshobe@somerandomdomain.com>
> To: netfilter@lists.netfilter.org
> Subject: Error message change request
> Date: Thu, 18 Sep 2003 20:56:03 -0400
> 
> Hey all,
> 
> I have a quick request - a change to an error message.
> 
> A friend I sold a server to called me insistant that iptables was broken on=
> =20
> the firewall I sold him.
> 
> He was trying the following, and got the following message:
> 
> superuser root@hydrogen:/home/root
> # /bin/iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 22 -j ACCEPT
> iptables v1.2.7a: Unknown arg `--dport'
> Try `iptables -h' or 'iptables --help' for more information.
> 
> I figured out that he missed -p tcp, but the error is misleading.
> 
> I think it should instead say something like "iptables v1.2.7a: Argument=20
> `--dport' cannot be used in this context" or something.
> 
> =2D-=20
> Sig=FE=F3r Jar=F0arson
> cshobe@somerandomdomain.com

Hi,
the answer is: .... 42.Just kidding

# /bin/iptables -A INPUT -p tcp --dport 22 -s 0/0 -d 0/0 -j ACCEPT
Best regards
Frederic

-- 
B.O.F.H excuse of the day: Domain controller not responding
http://www.seclab.jp

[-- Attachment #2: Type: application/pgp-signature, Size: 186 bytes --]

HELP!!! (ip_conntrack: table full)

[Alpha Technologies]

[-- Attachment #1: Type: text/plain, Size: 408 bytes --]

Recently I am having this messages on my system: "ip_conntrack: table full". Please i need help. what is happening?
 
This is my info:
 
RedHat 9.0
Kernel: 2.4.20-18.9
 

I really apreciate any help.
 
Thanks 
 
Pablo Tamayo

 



---------------------------------
Do You Yahoo!?
Todo lo que quieres saber de Estados Unidos, América Latina y el resto del Mundo.
Visíta Yahoo! Noticias.

[-- Attachment #2: Type: text/html, Size: 853 bytes --]

Re: HELP!!! (ip_conntrack: table full)

[Security]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

First...here is what is happening:

Your max setting on the conntrack table can be seen at: 
cat /proc/sys/net/ipv4/ip_conntrack_max

Your current number of entries in the conntrack table can be found like this:
cat /proc/net/ip_conntrack | wc -l

Now, you have 2 choices on how to sort this out...

1) raise the limit in /proc/net/ip_conntrack  
To raise that limit:
echo ## > /proc/net/ip_conntrack 
(where ## is the new max you wish to set).

or 
2) flush the conntrack table 
(for that.I am going to paste in from an earlier post to this list)

Just simply remove the mod ip_conntrac and any dependices and re-apply it.

**Warning** this will require you to drop iptables while you do it...which may
not be a good option depening on your network configuration. **/Warning**

NH

On Thursday 11 September 2003 4:19 pm, Warren P wrote:
> hi
>
> does anyone know how to clear/flush the ip_conntrack table. Every 4 to 6
> months i need to reboot my server because it drops packets and complains
> that the table is full ...
>
> Regards,
> Warren P



On Friday 19 September 2003 10:43 am, Alpha Technologies wrote:
> Recently I am having this messages on my system: "ip_conntrack: table
> full". Please i need help. what is happening?
>
> This is my info:
>
> RedHat 9.0
> Kernel: 2.4.20-18.9
>
>
> I really apreciate any help.
>
> Thanks
>
> Pablo Tamayo
>
>
>
>
>
> ---------------------------------
> Do You Yahoo!?
> Todo lo que quieres saber de Estados Unidos, América Latina y el resto del
> Mundo. Visíta Yahoo! Noticias.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/axy6PEfiOMhBaIMRAq2CAKCaZ94odX9aX3KaPhqF6pL340poRACffclm
ySIf03dKHYvJy46KGQpM5M0=
=cBZI
-----END PGP SIGNATURE-----

Re: HELP!!! (ip_conntrack: table full)

[Warren P]

hi

WRT echo ## > /proc/net/ip_conntrack 

Considering i've got 1gig of RAM ... what is a safe value i
can set ip_conntrack_max to? The current value is 65528

Also when you refer to dropping ip_conntrack ... do mean
like rmmod ip_conntrack.o?

Regards,
Warren P

-----------------------------------------------------------


On Fri, 19 Sep 2003 11:11:53 -0400
 Security <security@ezsm.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> First...here is what is happening:
> 
> Your max setting on the conntrack table can be seen at: 
> cat /proc/sys/net/ipv4/ip_conntrack_max
> 
> Your current number of entries in the conntrack table can
> be found like this:
> cat /proc/net/ip_conntrack | wc -l
> 
> Now, you have 2 choices on how to sort this out...
> 
> 1) raise the limit in /proc/net/ip_conntrack  
> To raise that limit:
> echo ## > /proc/net/ip_conntrack 
> (where ## is the new max you wish to set).
> 
> or 
> 2) flush the conntrack table 
> (for that.I am going to paste in from an earlier post to
> this list)
> 
> Just simply remove the mod ip_conntrac and any dependices
> and re-apply it.
> 
> **Warning** this will require you to drop iptables while
> you do it...which may
> not be a good option depening on your network
> configuration. **/Warning**
> 
> NH
> 
> On Thursday 11 September 2003 4:19 pm, Warren P wrote:
> > hi
> >
> > does anyone know how to clear/flush the ip_conntrack
> table. Every 4 to 6
> > months i need to reboot my server because it drops
> packets and complains
> > that the table is full ...
> >
> > Regards,
> > Warren P
> 
> 
> 
> On Friday 19 September 2003 10:43 am, Alpha Technologies
> wrote:
> > Recently I am having this messages on my system:
> "ip_conntrack: table
> > full". Please i need help. what is happening?
> >
> > This is my info:
> >
> > RedHat 9.0
> > Kernel: 2.4.20-18.9
> >
> >
> > I really apreciate any help.
> >
> > Thanks
> >
> > Pablo Tamayo
> >
> >
> >
> >
> >
> > ---------------------------------
> > Do You Yahoo!?
> > Todo lo que quieres saber de Estados Unidos, América
> Latina y el resto del
> > Mundo. Visíta Yahoo! Noticias.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
>
iD8DBQE/axy6PEfiOMhBaIMRAq2CAKCaZ94odX9aX3KaPhqF6pL340poRACffclm
> ySIf03dKHYvJy46KGQpM5M0=
> =cBZI
> -----END PGP SIGNATURE-----
> 

Re: HELP!!! (ip_conntrack: table full)

[Oskar Andreasson]

On Mon, 27 Oct 2003, Warren P wrote:

> hi
>
> WRT echo ## > /proc/net/ip_conntrack
>
> Considering i've got 1gig of RAM ... what is a safe value i
> can set ip_conntrack_max to? The current value is 65528

No problem, I've run as high as 140000 without a hitch on 512 meg, without
too much performance loss.

>
> Also when you refer to dropping ip_conntrack ... do mean
> like rmmod ip_conntrack.o?
>

Yes.

> Regards,
> Warren P
>
> -----------------------------------------------------------
>
>
> On Fri, 19 Sep 2003 11:11:53 -0400
>  Security <security@ezsm.net> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > First...here is what is happening:
> >
> > Your max setting on the conntrack table can be seen at:
> > cat /proc/sys/net/ipv4/ip_conntrack_max
> >
> > Your current number of entries in the conntrack table can
> > be found like this:
> > cat /proc/net/ip_conntrack | wc -l
> >
> > Now, you have 2 choices on how to sort this out...
> >
> > 1) raise the limit in /proc/net/ip_conntrack
> > To raise that limit:
> > echo ## > /proc/net/ip_conntrack
> > (where ## is the new max you wish to set).
> >
> > or
> > 2) flush the conntrack table
> > (for that.I am going to paste in from an earlier post to
> > this list)
> >
> > Just simply remove the mod ip_conntrac and any dependices
> > and re-apply it.
> >
> > **Warning** this will require you to drop iptables while
> > you do it...which may
> > not be a good option depening on your network
> > configuration. **/Warning**
> >
> > NH
> >
> > On Thursday 11 September 2003 4:19 pm, Warren P wrote:
> > > hi
> > >
> > > does anyone know how to clear/flush the ip_conntrack
> > table. Every 4 to 6
> > > months i need to reboot my server because it drops
> > packets and complains
> > > that the table is full ...
> > >
> > > Regards,
> > > Warren P
> >
> >
> >
> > On Friday 19 September 2003 10:43 am, Alpha Technologies
> > wrote:
> > > Recently I am having this messages on my system:
> > "ip_conntrack: table
> > > full". Please i need help. what is happening?
> > >
> > > This is my info:
> > >
> > > RedHat 9.0
> > > Kernel: 2.4.20-18.9
> > >
> > >
> > > I really apreciate any help.
> > >
> > > Thanks
> > >
> > > Pablo Tamayo
> > >
> > >
> > >
> > >
> > >
> > > ---------------------------------
> > > Do You Yahoo!?
> > > Todo lo que quieres saber de Estados Unidos, América
> > Latina y el resto del
> > > Mundo. Visíta Yahoo! Noticias.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> >
> >
> iD8DBQE/axy6PEfiOMhBaIMRAq2CAKCaZ94odX9aX3KaPhqF6pL340poRACffclm
> > ySIf03dKHYvJy46KGQpM5M0=
> > =cBZI
> > -----END PGP SIGNATURE-----
> >
>
>
>
>

----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net

Re: HELP!!! (ip_conntrack: table full)

[NightHawk]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Warren,
   I would only raise the value in /proc/net/ip_conntrack a little bit at a 
time till you find the lowest number that works for your situation.  Once you 
have everything under control, the number shouldn't have to be too high, at 
least this has been my experience.  I only raise the number when having a 
"situation", and then lower it back down once things are calmed down.

And yes, I did mean to rmmod ip_conntack, when I mentioned dropping 
ip_conntrack.  Although, this tends to require dropping a few other modules 
as well, and also tends to require stopping iptables while you do so. (due to 
some of the modules that you have to remove.)  Which is why it is not the 
best solution for all situations....

NH

On Monday 27 October 2003 2:52 pm, Warren P wrote:
> hi
>
> WRT echo ## > /proc/net/ip_conntrack
>
> Considering i've got 1gig of RAM ... what is a safe value i
> can set ip_conntrack_max to? The current value is 65528
>
> Also when you refer to dropping ip_conntrack ... do mean
> like rmmod ip_conntrack.o?
>
> Regards,
> Warren P
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/nXtqb58ZIoF+byQRAgbWAKCOgeguwsDsDnvsH/8MHx5BTwKuSQCffJ+t
fcgUdKA6Npi/VyhejhJegOE=
=Th5c
-----END PGP SIGNATURE-----

Re: HELP!!! (ip_conntrack: table full)

[Warren P]

Hi

Thanks ...

But tell me ... do i really need ip_conntrack? What would
happen if i remove it permanently ... how will this affect
my IP Table rule ...
I've only got one rule:
e.g: iptables -t nat -A PREROUTING -p tcp --dport 80 -j
DNAT --to 192.168.22.33:3128

------------------------------------------------------------


On Mon, 27 Oct 2003 16:09:14 -0400
 NightHawk <nighthawk@easyservermanagement.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Warren,
>    I would only raise the value in /proc/net/ip_conntrack
> a little bit at a 
> time till you find the lowest number that works for your
> situation.  Once you 
> have everything under control, the number shouldn't have
> to be too high, at 
> least this has been my experience.  I only raise the
> number when having a 
> "situation", and then lower it back down once things are
> calmed down.
> 
> And yes, I did mean to rmmod ip_conntack, when I
> mentioned dropping 
> ip_conntrack.  Although, this tends to require dropping a
> few other modules 
> as well, and also tends to require stopping iptables
> while you do so. (due to 
> some of the modules that you have to remove.)  Which is
> why it is not the 
> best solution for all situations....
> 
> NH
> 
> On Monday 27 October 2003 2:52 pm, Warren P wrote:
> > hi
> >
> > WRT echo ## > /proc/net/ip_conntrack
> >
> > Considering i've got 1gig of RAM ... what is a safe
> value i
> > can set ip_conntrack_max to? The current value is 65528
> >
> > Also when you refer to dropping ip_conntrack ... do
> mean
> > like rmmod ip_conntrack.o?
> >
> > Regards,
> > Warren P
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
>
iD8DBQE/nXtqb58ZIoF+byQRAgbWAKCOgeguwsDsDnvsH/8MHx5BTwKuSQCffJ+t
> fcgUdKA6Npi/VyhejhJegOE=
> =Th5c
> -----END PGP SIGNATURE-----
> 

Re: HELP!!! (ip_conntrack: table full)

[Security]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Easy way to find out...try to remove the module..if it has no rules using 
it...it won't complain..and will just remove.  But if that is really your 
only iptables rule..then I don't see any need for that module.

NH
On Monday 27 October 2003 3:46 pm, Warren P wrote:
> Hi
>
> Thanks ...
>
> But tell me ... do i really need ip_conntrack? What would
> happen if i remove it permanently ... how will this affect
> my IP Table rule ...
> I've only got one rule:
> e.g: iptables -t nat -A PREROUTING -p tcp --dport 80 -j
> DNAT --to 192.168.22.33:3128
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/nYXLPEfiOMhBaIMRAtULAJ43uhg79Vc8SqAxtkaqb+oQrfWSxwCeJL6E
YXSKRgYWg4tisifll8ed1ac=
=IVGt
-----END PGP SIGNATURE-----

Re: HELP!!! (ip_conntrack: table full)

[Oskar Andreasson]

Will not work at all. The NAT part is dependant upon connection tracking,
which is done by... tada, ip_conntrack;).

On Mon, 27 Oct 2003, Warren P wrote:

> Hi
>
> Thanks ...
>
> But tell me ... do i really need ip_conntrack? What would
> happen if i remove it permanently ... how will this affect
> my IP Table rule ...
> I've only got one rule:
> e.g: iptables -t nat -A PREROUTING -p tcp --dport 80 -j
> DNAT --to 192.168.22.33:3128
>
> ------------------------------------------------------------
>
>
> On Mon, 27 Oct 2003 16:09:14 -0400
>  NightHawk <nighthawk@easyservermanagement.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Warren,
> >    I would only raise the value in /proc/net/ip_conntrack
> > a little bit at a
> > time till you find the lowest number that works for your
> > situation.  Once you
> > have everything under control, the number shouldn't have
> > to be too high, at
> > least this has been my experience.  I only raise the
> > number when having a
> > "situation", and then lower it back down once things are
> > calmed down.
> >
> > And yes, I did mean to rmmod ip_conntack, when I
> > mentioned dropping
> > ip_conntrack.  Although, this tends to require dropping a
> > few other modules
> > as well, and also tends to require stopping iptables
> > while you do so. (due to
> > some of the modules that you have to remove.)  Which is
> > why it is not the
> > best solution for all situations....
> >
> > NH
> >
> > On Monday 27 October 2003 2:52 pm, Warren P wrote:
> > > hi
> > >
> > > WRT echo ## > /proc/net/ip_conntrack
> > >
> > > Considering i've got 1gig of RAM ... what is a safe
> > value i
> > > can set ip_conntrack_max to? The current value is 65528
> > >
> > > Also when you refer to dropping ip_conntrack ... do
> > mean
> > > like rmmod ip_conntrack.o?
> > >
> > > Regards,
> > > Warren P
> > >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> >
> >
> iD8DBQE/nXtqb58ZIoF+byQRAgbWAKCOgeguwsDsDnvsH/8MHx5BTwKuSQCffJ+t
> > fcgUdKA6Npi/VyhejhJegOE=
> > =Th5c
> > -----END PGP SIGNATURE-----
> >
>
>
>
>

----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net

Re: HELP!!! (ip_conntrack: table full)

[NightHawk]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Warren,
   I would only raise the value in /proc/net/ip_conntrack a little bit at a
time till you find the lowest number that works for your situation.  Once you
have everything under control, the number shouldn't have to be too high, at
least this has been my experience.  I only raise the number when having a
"situation", and then lower it back down once things are calmed down.

And yes, I did mean to rmmod ip_conntack, when I mentioned dropping
ip_conntrack.  Although, this tends to require dropping a few other modules
as well, and also tends to require stopping iptables while you do so. (due to
some of the modules that you have to remove.)  Which is why it is not the
best solution for all situations....

NH

On Monday 27 October 2003 2:52 pm, Warren P wrote:
> hi
>
> WRT echo ## > /proc/net/ip_conntrack
>
> Considering i've got 1gig of RAM ... what is a safe value i
> can set ip_conntrack_max to? The current value is 65528
>
> Also when you refer to dropping ip_conntrack ... do mean
> like rmmod ip_conntrack.o?
>
> Regards,
> Warren P
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/nX5nb58ZIoF+byQRAjirAJ0VZcgBII3m44m2F3e6pAKvtV1D6ACfQjBI
3i8JEcIIT7f24e0/TeaKo3E=
=m+9W
-----END PGP SIGNATURE-----

RE: HELP!!! (ip_conntrack: table full)

[Edmund Turner]

Hey guys, its been awhile,(im getting old and my memory seems to escape
me.) so please bear with me. :)

TO remove the module
 rmmod ip_conntrack.o
How do I reinstate the module?????


Regards
edmund


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of NightHawk
Sent: Tuesday, October 28, 2003 4:22 AM
To: netfilter@lists.netfilter.org
Subject: Re: HELP!!! (ip_conntrack: table full)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Warren,
   I would only raise the value in /proc/net/ip_conntrack a little bit
at a
time till you find the lowest number that works for your situation.
Once you
have everything under control, the number shouldn't have to be too high,
at
least this has been my experience.  I only raise the number when having
a
"situation", and then lower it back down once things are calmed down.

And yes, I did mean to rmmod ip_conntack, when I mentioned dropping
ip_conntrack.  Although, this tends to require dropping a few other
modules
as well, and also tends to require stopping iptables while you do so.
(due to
some of the modules that you have to remove.)  Which is why it is not
the
best solution for all situations....

NH

On Monday 27 October 2003 2:52 pm, Warren P wrote:
> hi
>
> WRT echo ## > /proc/net/ip_conntrack
>
> Considering i've got 1gig of RAM ... what is a safe value i
> can set ip_conntrack_max to? The current value is 65528
>
> Also when you refer to dropping ip_conntrack ... do mean
> like rmmod ip_conntrack.o?
>
> Regards,
> Warren P
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/nX5nb58ZIoF+byQRAjirAJ0VZcgBII3m44m2F3e6pAKvtV1D6ACfQjBI
3i8JEcIIT7f24e0/TeaKo3E=
=m+9W
-----END PGP SIGNATURE-----

Re: HELP!!! (ip_conntrack: table full)

[Security]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

modprobe ip_conntrack

or 

insmod ip_conntrack  

NH

On Tuesday 28 October 2003 8:34 pm, Edmund Turner wrote:
> Hey guys, its been awhile,(im getting old and my memory seems to escape
> me.) so please bear with me. :)
>
> TO remove the module
>  rmmod ip_conntrack.o
> How do I reinstate the module?????
>
>
> Regards
> edmund
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/nx0EPEfiOMhBaIMRAr/gAKCwwYZz+qyreGadotVr6YihjX0RBgCdFYkF
78edQvig80Z35SotiJJdofY=
=wyNB
-----END PGP SIGNATURE-----

Re: HELP!!! (ip_conntrack: table full)

[Alistair Tonner]

On October 28, 2003 08:34 pm, Edmund Turner wrote:
> Hey guys, its been awhile,(im getting old and my memory seems to escape
> me.) so please bear with me. :)
>
> TO remove the module
>  rmmod ip_conntrack.o
> How do I reinstate the module?????



	*THWACK* 

	insmod
	modprobe
	
	(oops .. that fish was dead .. .sorry)

>
>
> Regards
> edmund
>
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of NightHawk
> Sent: Tuesday, October 28, 2003 4:22 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: HELP!!! (ip_conntrack: table full)
>
> Warren,
>    I would only raise the value in /proc/net/ip_conntrack a little bit
> at a
> time till you find the lowest number that works for your situation.
> Once you
> have everything under control, the number shouldn't have to be too high,
> at
> least this has been my experience.  I only raise the number when having
> a
> "situation", and then lower it back down once things are calmed down.
>
> And yes, I did mean to rmmod ip_conntack, when I mentioned dropping
> ip_conntrack.  Although, this tends to require dropping a few other
> modules
> as well, and also tends to require stopping iptables while you do so.
> (due to
> some of the modules that you have to remove.)  Which is why it is not
> the
> best solution for all situations....
>
> NH
>
> On Monday 27 October 2003 2:52 pm, Warren P wrote:
> > hi
> >
> > WRT echo ## > /proc/net/ip_conntrack
> >
> > Considering i've got 1gig of RAM ... what is a safe value i
> > can set ip_conntrack_max to? The current value is 65528
> >
> > Also when you refer to dropping ip_conntrack ... do mean
> > like rmmod ip_conntrack.o?
> >
> > Regards,
> > Warren P

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: HELP!!! (ip_conntrack: table full)

[Security]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Warren,
   I would only raise the value in /proc/net/ip_conntrack a little bit at a
time till you find the lowest number that works for your situation.  Once you
have everything under control, the number shouldn't have to be too high, at
least this has been my experience.  I only raise the number when having a
"situation", and then lower it back down once things are calmed down.

And yes, I did mean to rmmod ip_conntack, when I mentioned dropping
ip_conntrack.  Although, this tends to require dropping a few other modules
as well, and also tends to require stopping iptables while you do so. (due to
some of the modules that you have to remove.)  Which is why it is not the
best solution for all situations....

NH

On Monday 27 October 2003 2:52 pm, Warren P wrote:
> hi
>
> WRT echo ## > /proc/net/ip_conntrack
>
> Considering i've got 1gig of RAM ... what is a safe value i
> can set ip_conntrack_max to? The current value is 65528
>
> Also when you refer to dropping ip_conntrack ... do mean
> like rmmod ip_conntrack.o?
>
> Regards,
> Warren P
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/nX62PEfiOMhBaIMRAhApAJ9wjH7HpUP2uS54gnKX366qx1HQdgCdErQ9
RijgnV+fchqx/oJ25qpCblA=
=vyvf
-----END PGP SIGNATURE-----

Re: HELP!!! (ip_conntrack: table full)

[Nox]

Your connections are staying in the table,
Ive read this before 

You can flush conntrack entries for masqueraded connections
by doing either a down/up or ip addr add/del on the associated
interface.  This probably won't help you in this case though
because the problem conntrack is not masqueraded.  I don't
know of any other ways of flushing conntracks.

But Im not sure if that will work for you,
the only other way I know is to Unload & reload the ip_conntrack module

Hope that helps

Nox
GenMicro Sytems

On Fri, 2003-09-19 at 10:43, Alpha Technologies wrote:
> Recently I am having this messages on my system: "ip_conntrack: table
> full". Please i need help. what is happening?
>  
> This is my info:
>  
> RedHat 9.0
> Kernel: 2.4.20-18.9
>  
> I really apreciate any help.
>  
> Thanks 
>  
> Pablo Tamayo
>  
> 
> 
> 
> ______________________________________________________________________
> Do You Yahoo!?
>  Todo lo que quieres saber de Estados Unidos, América Latina y el
> resto del Mundo.
> Visíta Yahoo! Noticias.

Re: HELP!!! (ip_conntrack: table full)

[Cedric Blancher]

Le ven 19/09/2003 à 17:15, Nox a écrit :
> You can flush conntrack entries for masqueraded connections
> by doing either a down/up or ip addr add/del on the associated
> interface.  This probably won't help you in this case though
> because the problem conntrack is not masqueraded.  I don't
> know of any other ways of flushing conntracks.

Afaik, if you use SNAT, then IP address removal won't change anything,
as you can SNAT on IP that does not belong to the box.
For MASQUERADE, you may have to bring the interface down to flush
associated conntrack entries.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

RE: HELP!!! (ip_conntrack: table full)

[Daniel Chemko]

DNAT uses ip_conntrack to create a reverse rule match for the packet
returning through the interface attached to the destination system.
Remember, DNAT doesn't just NAT it heading to the destination, but it
also NAT's on the way back to the original source.

-----Original Message-----
From: Warren P [mailto:warrenp@websurfer.co.za] 
Sent: Monday, October 27, 2003 12:47 PM
To: nighthawk@ezsm.net; Warren P; netfilter@lists.netfilter.org
Subject: Re: HELP!!! (ip_conntrack: table full)

Hi

Thanks ...

But tell me ... do i really need ip_conntrack? What would
happen if i remove it permanently ... how will this affect
my IP Table rule ...
I've only got one rule:
e.g: iptables -t nat -A PREROUTING -p tcp --dport 80 -j
DNAT --to 192.168.22.33:3128

------------------------------------------------------------


On Mon, 27 Oct 2003 16:09:14 -0400
 NightHawk <nighthawk@easyservermanagement.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Warren,
>    I would only raise the value in /proc/net/ip_conntrack
> a little bit at a 
> time till you find the lowest number that works for your
> situation.  Once you 
> have everything under control, the number shouldn't have
> to be too high, at 
> least this has been my experience.  I only raise the
> number when having a 
> "situation", and then lower it back down once things are
> calmed down.
> 
> And yes, I did mean to rmmod ip_conntack, when I
> mentioned dropping 
> ip_conntrack.  Although, this tends to require dropping a
> few other modules 
> as well, and also tends to require stopping iptables
> while you do so. (due to 
> some of the modules that you have to remove.)  Which is
> why it is not the 
> best solution for all situations....
> 
> NH
> 
> On Monday 27 October 2003 2:52 pm, Warren P wrote:
> > hi
> >
> > WRT echo ## > /proc/net/ip_conntrack
> >
> > Considering i've got 1gig of RAM ... what is a safe
> value i
> > can set ip_conntrack_max to? The current value is 65528
> >
> > Also when you refer to dropping ip_conntrack ... do
> mean
> > like rmmod ip_conntrack.o?
> >
> > Regards,
> > Warren P
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
>
iD8DBQE/nXtqb58ZIoF+byQRAgbWAKCOgeguwsDsDnvsH/8MHx5BTwKuSQCffJ+t
> fcgUdKA6Npi/VyhejhJegOE=
> =Th5c
> -----END PGP SIGNATURE-----
>