My Red hat Enterprise Linux 5 server reporting the following message in /var/log/messages (syslog):
ip_conntrack: table full, dropping packet.
How do I fix this error?
A. If you notice the above message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size.
You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!
To print current limit type:
# sysctl net.ipv4.netfilter.ip_conntrack_max
Output:
8192
To increase this limit to e.g. 12000, type:
# sysctl -w net.ipv4.netfilter.ip_conntrack_max=12000
Alternatively, add the following line to /etc/sysctl.conf file:
net.ipv4.netfilter.ip_conntrack_max=12000
The following will tell you how many sessions are open right now:
# wc -l /proc/net/ip_conntrack
Output:
5000 /proc/net/ip_conntrack
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 9 comments… read them below or add one }
How about SuSEFirewall2? Are there any similar way to do the same? Thanks
blink4blog,
Above instructions must work on Suse Linux.
Very Nice Article……..
Like it….. :)
So nice solution.
Regards.
Eng. Mahmoud Al Sayed.
Thanks!
It works for me too – I love you :)
my server has 16 gb ram – i am hosting some VPS.
one of the VPS is under syn ddos, the limit of conntrack is already at 300000 but the table is still full.
i can set the limit to 3000000 and the table is always full.
actually i use:
net.ipv4.netfilter.ip_conntrack_max = 9527600
net.ipv4.ip_conntrack_max = 9527600
OS: centos 5
is there a limit of max. conntrack value?
thanks!
[root@host4 ~]# wc -l /proc/net/ip_conntrack
65143 /proc/net/ip_conntrack
mhh… seems there is a limit of the max. conntrack value.
of course i have done sysctl -p and done restarts etc., but it dont help.
i try with this introduce but i don’t understand about conntrack, who can explain for me
Good Article, very useful……………………………………..