Linux Iptables ip_conntrack: table full, dropping packet error and solution
Q. My Red hat Enterprise Linux 5 server reporting the following message in /var/log/messages (syslog):
ip_conntrack: table full, dropping packet.
How do I fix this error?
A. If you notice the above message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size.
You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!
To print current limit type:
# sysctl net.ipv4.netfilter.ip_conntrack_max
Output:
8192
To increase this limit to e.g. 12000, type:
# sysctl -w net.ipv4.netfilter.ip_conntrack_max=12000
Alternatively, add the following line to /etc/sysctl.conf file:
net.ipv4.netfilter.ip_conntrack_max=12000
The following will tell you how many sessions are open right now:
# wc -l /proc/net/ip_conntrack
Output:
5000 /proc/net/ip_conntrack
References:
E-mail this to a friend
Printable version
Related Other Helpful FAQs:
- Linux Null route an attackers ip
- BASH Shell: How To Redirect stderr To stdout ( redirect stderr to a File )
- Iptables setup masquerading for Linux firewall
- Create a mysql database, tables and insert data
- Understanding Routing Table
Discussion on This FAQ
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: /proc/net/ip_conntrack, enterprise linux, ipv4, kernel memory, max output, maximum limit, maximum memory size, net.ipv4.netfilter.ip_conntrack_max, red hat enterprise, simultaneous connections, syslog
January 12th, 2008 at 3:30 pm
How about SuSEFirewall2? Are there any similar way to do the same? Thanks
January 12th, 2008 at 3:42 pm
blink4blog,
Above instructions must work on Suse Linux.