Re: Reg iptables Connection tracking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joel Newkirk <netfilter@newkirk.us>
To: Amit Kumar Gupta <amitkumar.gupta@wipro.com>,
	netfilter@lists.netfilter.org
Subject: Re: Reg iptables Connection tracking
Date: Fri, 10 Jan 2003 00:32:39 -0500	[thread overview]
Message-ID: <200301100032.39224.netfilter@newkirk.us> (raw)
In-Reply-To: <4223A04BF7D1B941A25246ADD0462FF5647695@blr-m3-msg.wipro.com>

On Friday 10 January 2003 12:03 am, Amit Kumar Gupta wrote:
> Hi List,
>
> I am getting a problem with iptables :-
>
> I have added some rules in which I check the states of the packets
> which I receive i.e. whether it is NEW, ESTABLISHED or INVALID and
> then do some actions.
>
> Now the problem which I am getting is :- (However I have already
> posted a si ilar query reg this but I think this will be more
> elaborative).
>
> As soon as somebody pings to my m/c , that fellow doesn't get the
> reply and on my m/c , kernel keeps dumping certain messages which are
> like this :-
>
> Ip_contrack: maximum limit of 1016 entries exceeded.

Well, that's what's happening then.  The conntrack table is filling.  The 
real question is "why"?  How many machines are connected to/through this 
one, how many interfaces, subnets, etc?  Ping from LAN to firewall box, 
internet to LAN, what?  Just this box on the internet?  You need to 
elaborate still further for anyone to have much chance figuring out the 
source of your problem.  Since the conntrack limit is being reached, try 
"cat /proc/net/conntrack" and see what it's filled with.  (Probably 1016 
entries, but are they all legitimate traffic, or what?)

Conntrack is used for state and NAT both.  It might help if you also 
included the new state rules you added, and any NAT or state rules that 
were already in place.

j

next prev parent reply	other threads:[~2003-01-10  5:32 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-01-10  5:03 Reg iptables Connection tracking Amit Kumar Gupta
2003-01-10  5:32 ` Joel Newkirk [this message]
2003-01-10 14:02 ` Athan
  -- strict thread matches above, loose matches on Subject: below --
2003-01-10 10:34 Amit Kumar Gupta
2003-01-10 16:39 ` Athan
2003-01-10 14:25 Amit Kumar Gupta
2003-01-11  5:06 Amit Kumar Gupta
2003-01-14 12:56 Amit Kumar Gupta
2003-01-14 14:09 ` Filip Sneppe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200301100032.39224.netfilter@newkirk.us \
    --to=netfilter@newkirk.us \
    --cc=amitkumar.gupta@wipro.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.