Linux Iptables ip_conntrack: table full, dropping packet error and solution

last updated May 20, 2009 in CentOS, Debian / Ubuntu, Iptables, Linux, RedHat and Friends, Suse, Troubleshooting, Ubuntu Linux

My Red hat Enterprise Linux 5 server reporting the following message in /var/log/messages (syslog):

ip_conntrack: table full, dropping packet.

How do I fix this error?

A. If you notice the above message in syslog, it looks like the conntrack database doesn’t have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system’s maximum memory size.

You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!

To print current limit type:
# sysctl net.ipv4.netfilter.ip_conntrack_max
Output:

To increase this limit to e.g. 12000, type:
# sysctl -w net.ipv4.netfilter.ip_conntrack_max=12000
Alternatively, add the following line to /etc/sysctl.conf file:
net.ipv4.netfilter.ip_conntrack_max=12000
The following will tell you how many sessions are open right now:
# wc -l /proc/net/ip_conntrack
Output:

5000 /proc/net/ip_conntrack

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

12 comment

blink4blog says:
January 12, 2008 at 3:30 pm
How about SuSEFirewall2? Are there any similar way to do the same? Thanks
nixCraft says:
January 12, 2008 at 3:42 pm
blink4blog,
Above instructions must work on Suse Linux.
we3cares says:
September 23, 2008 at 4:16 am
Very Nice Article……..
Like it….. :)
OQiis co. says:
November 12, 2008 at 2:44 am
So nice solution.
Regards.
Eng. Mahmoud Al Sayed.
Georgi Georgiev says:
March 7, 2009 at 1:45 am
Thanks!
It works for me too – I love you :)
d0r says:
April 3, 2010 at 9:49 pm
my server has 16 gb ram – i am hosting some VPS.
one of the VPS is under syn ddos, the limit of conntrack is already at 300000 but the table is still full.
i can set the limit to 3000000 and the table is always full.
actually i use:
net.ipv4.netfilter.ip_conntrack_max = 9527600
net.ipv4.ip_conntrack_max = 9527600
OS: centos 5
is there a limit of max. conntrack value?
thanks!
d0r says:
April 3, 2010 at 9:52 pm
[root@host4 ~]# wc -l /proc/net/ip_conntrack
65143 /proc/net/ip_conntrack
mhh… seems there is a limit of the max. conntrack value.
of course i have done sysctl -p and done restarts etc., but it dont help.
Amos says:
June 7, 2011 at 7:29 am
You can also get current count of entries in the connection table by reading /proc/sys/net/ipv4/netfilter/ip_conntrack_count.
It’s much faster than a “wc -l” and useful for graphing/monitoring with collectd/zabbix/nagios etc.
lam seo website says:
July 10, 2012 at 7:48 am
i try with this introduce but i don’t understand about conntrack, who can explain for me
Ballesh says:
April 12, 2013 at 3:46 pm
Good Article, very useful……………………………………..
farzin says:
August 30, 2014 at 3:20 pm
for centos 6.x it is changed to the following codes :
To print current limit type:
# sysctl net.nf_conntrack_max
Output:65536
To increase this limit to e.g. 100000, type:
# sysctl -w net.nf_conntrack_max=100000
To make this settings permanent add the following line to /etc/sysctl.conf file:
net.nf_conntrack_max = 100000
The following will tell you how many sessions are open right now:
# wc -l /proc/net/nf_conntrack
Deepak says:
August 6, 2015 at 12:55 pm
i am using centos 2.1 and ite not working actually i am not found this: net.ipv4.netfilter.ip_conntrack_max

Still, have a question? Get help on our forum!

Tagged as: /proc/net/ip_conntrack, enterprise linux, ipv4, kernel memory, max output, maximum limit, maximum memory size, net.ipv4.netfilter.ip_conntrack_max, red hat enterprise, simultaneous connections, syslog