From: Steven M Campbell <Netfilter@SCampbell.net>
To: netfilter@lists.netfilter.org
Subject: Re: It seems I've found why conntrack blocks some packets
Date: Sat, 01 Apr 2006 23:08:51 -0500 [thread overview]
Message-ID: <442F4E53.9060501@SCampbell.net> (raw)
In-Reply-To: <cc4fcc140604011259m3ee3a19coa5aac5a34ba3f66e@mail.gmail.com>
Carlos Pastorino wrote:
> Now, commenting on this message: I actually didn't know that the
> conntrack table had a limit. Learning something every day. I will
> check its value on Monday, during peak time.
A related thought to this, I wonder how many connections are not being closed nicely and then have to hang around in the conntrack table. If you find that you are approaching the limits then you might want to look into the various connection tracking timings.
> Another thought: if the ACKs that are being blocked are for some
> reason malformed, wouldn't they be blocked as well by the last rule?
The last rule is a log-only rule:
$IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD blocked: "
It's the one generating the log messages we see, therefore we are actually falling off the table and taking the default policy which is 'DROP' ($IPTABLES -P FORWARD DROP)
Also, there really isn't that much to the syn-ack packets, kinda hard to malform them too much.
>
>> One other thought to this, if I were to presume the ${variables} and ...ip's then I would presume that the RELATED rules should allow these ack's to go through. The only reason I know of for them not do (again, assuming all the addressing is really ok) would be that the conntrack table has filled up.
>>
>> To see the maximum connnections that can be tracked:
>>
>> # cat /proc/sys/net/ipv4/ip_conntrack_max
>> 32760
>>
>> To see how many you are using at a given moment
>>
>> # wc -l /proc/net/ip_conntrack
>> 16 /proc/net/ip_conntrack
>>
>>
>> This from my house and there really isn't all that much going on, I would expect far larger counts, you may need to up ip_conntrack_max. This really out in the SWAG arena because I can't see the details of your installation.
>>
>>
>
next prev parent reply other threads:[~2006-04-02 4:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-30 5:13 It seems I've found why conntrack blocks some packets Gary W. Smith
2006-03-30 14:01 ` Carlos Pastorino
2006-03-31 13:20 ` Steven M Campbell
2006-03-31 13:43 ` Steven M Campbell
2006-04-01 20:59 ` Carlos Pastorino
2006-04-02 4:08 ` Steven M Campbell [this message]
2006-04-04 12:36 ` Carlos Pastorino
2006-04-05 14:55 ` Steven M Campbell
2006-04-06 18:33 ` Carlos Pastorino
2006-04-01 20:46 ` Carlos Pastorino
-- strict thread matches above, loose matches on Subject: below --
2006-03-29 13:45 Carlos Pastorino
2006-03-29 13:52 ` Steven M Campbell
2006-03-29 15:11 ` Roger Hamilton
2006-03-29 15:17 ` Steven M Campbell
2006-03-29 18:04 ` Carlos Pastorino
2006-03-30 5:05 ` Carlos Pastorino
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=442F4E53.9060501@SCampbell.net \
--to=netfilter@scampbell.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.