* NOTRACK not working as expected
@ 2006-11-27 21:06 Wilson, Richard E
2006-11-27 21:51 ` Tom Eastep
0 siblings, 1 reply; 2+ messages in thread
From: Wilson, Richard E @ 2006-11-27 21:06 UTC (permalink / raw)
To: netfilter
All,
Running RH EL 4 Kernel 2.6.9-42.0.3.ELsmp, iptables v1.2.11
I added the following rule to prevent the ip_conntrack table from
tracking localhost connections:
iptables -t raw -A PREROUTING -i lo -j NOTRACK
The monitor script in place to allow us to reboot this system gracefully
when the ip_conntrack table runs out of space reports when it reaches
90% of capacity (determined by ip_conntrack | wc -l / ip_conntrack_max).
I now have a couple copies of the ip_conntrack table a short time before
it ran out of space and I find a LOT (5k+) of connections with
"src=127.0.0.1 dst=127.0.0.0" in the table. Is there a better way to
create a rule to not track localhost connections?
This server has 4GB of RAM and uses the default value of 65536 for the
ip_conntrack table size. I have already changed the
ip_conntrack_tcp_timeout_established value from its default of 432000 (5
days) to 172800 (2 days) and it still ran out of table slots. This
change was made earlier today, a couple hours before the table filled
up. The localhost traffic cited above is mostly udp traffic (complex
DNS stuff going on). The server handles mail to/from the Internet, so
has a lot of short term connections.
From what I've read, increasing the size of the ip_conntrack table is
best done by powers of 2 -- is this still the case? I calculated that
the current table size is roughly 40MB of non-swappable RAM, so I have
room to increase it if all else fails.
Thanks in advance,
Richard Wilson
EDS
richard dot wilson at eds dot com
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: NOTRACK not working as expected
2006-11-27 21:06 NOTRACK not working as expected Wilson, Richard E
@ 2006-11-27 21:51 ` Tom Eastep
0 siblings, 0 replies; 2+ messages in thread
From: Tom Eastep @ 2006-11-27 21:51 UTC (permalink / raw)
To: Wilson, Richard E; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 560 bytes --]
Wilson, Richard E wrote:
>
> I added the following rule to prevent the ip_conntrack table from
> tracking localhost connections:
>
> iptables -t raw -A PREROUTING -i lo -j NOTRACK
>
...
> Is there a better way to create a rule to not track localhost connections?
>
iptables -t raw -A OUTPUT -o lo -j NOTRACK
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-11-27 21:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-27 21:06 NOTRACK not working as expected Wilson, Richard E
2006-11-27 21:51 ` Tom Eastep
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox