Linux Iptables ip_conntrack: table full, dropping packet error and solution

Posted on in Categories , , , , , , , last updated May 20, 2009

My Red hat Enterprise Linux 5 server reporting the following message in /var/log/messages (syslog):

ip_conntrack: table full, dropping packet.

How do I fix this error?

A. If you notice the above message in syslog, it looks like the conntrack database doesn’t have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system’s maximum memory size.

You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!

To print current limit type:
# sysctl net.ipv4.netfilter.ip_conntrack_max


To increase this limit to e.g. 12000, type:
# sysctl -w net.ipv4.netfilter.ip_conntrack_max=12000
Alternatively, add the following line to /etc/sysctl.conf file:
The following will tell you how many sessions are open right now:
# wc -l /proc/net/ip_conntrack

5000 /proc/net/ip_conntrack

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

12 comment

  1. my server has 16 gb ram – i am hosting some VPS.
    one of the VPS is under syn ddos, the limit of conntrack is already at 300000 but the table is still full.
    i can set the limit to 3000000 and the table is always full.

    actually i use:
    net.ipv4.netfilter.ip_conntrack_max = 9527600
    net.ipv4.ip_conntrack_max = 9527600

    OS: centos 5

    is there a limit of max. conntrack value?


  2. You can also get current count of entries in the connection table by reading /proc/sys/net/ipv4/netfilter/ip_conntrack_count.

    It’s much faster than a “wc -l” and useful for graphing/monitoring with collectd/zabbix/nagios etc.

  3. for centos 6.x it is changed to the following codes :

    To print current limit type:
    # sysctl net.nf_conntrack_max

    To increase this limit to e.g. 100000, type:
    # sysctl -w net.nf_conntrack_max=100000

    To make this settings permanent add the following line to /etc/sysctl.conf file:
    net.nf_conntrack_max = 100000

    The following will tell you how many sessions are open right now:
    # wc -l /proc/net/nf_conntrack

Leave a Comment