Life, Football, Technology and Vespas…

IP Tables Max Connections

If you, like me,  run a linux firewall you may find your connection doing weird things like taking a long time or sometimes dying completely – often with little to no load on the machine. One thing that is worth looking at is the maximum number of tracked connections that the firewall is maintaining:

# cat /proc/sys/net/ipv4/ip_conntrack_max
16640
This command shows what the maximum number of allowed connections are – to determine if you are reaching this threshold, the following command can be run:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
16640

The above shows that the maximum number of connections has been reached. Once this starts happening, then connections that can no longer be maintained will be dropped – causing all kinds of trouble.

kernel: ip_conntrack: table full, dropping packet.

The way around this is to increase the number of maximum connections. This can be done easily and on the fly by running the following command:

# echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
44796

To make the configuration permanent across reboots the following line must be added to the /etc/sysctl.conf file:

net.ipv4.ip_conntrack_max = 131072
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s