Subsequent load tests proved me wrong. I¹m still getting the nf_conntrack messages. Perhaps I¹ve misconfigigured my iptables rules?
# bits of /var/log/messages Oct 6 21:58:40 w1 kernel: [3718555.091684] printk: 2 messages suppressed. Oct 6 21:58:40 w1 kernel: [3718555.091705] nf_conntrack: table full, dropping packet. Oct 6 21:58:41 w1 kernel: [3718290.353966] device eth0 entered promiscuous mode Oct 6 21:58:43 w1 kernel: [3718558.070993] nf_conntrack: table full, dropping packet. Oct 6 21:58:44 w1 kernel: [3718559.097679] nf_conntrack: table full, dropping packet. I¹ve got this in a shell script: ---- #!/bin/sh sudo /sbin/iptables -F sudo /sbin/iptables -A INPUT -i lo -j ACCEPT sudo /sbin/iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo /sbin/iptables -A OUTPUT -j ACCEPT # tell iptables to skip tracking on ports haproxy is monitoring sudo /sbin/iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK sudo /sbin/iptables -t raw -A PREROUTING -p tcp --dport 8080 -j NOTRACK # ... Rules to allow stuff... sudo /sbin/iptables -A INPUT -j REJECT sudo /sbin/iptables -A FORWARD -j REJECT ------ But then when I list my tables, I¹m not seeing anything about the NOTRACK rules. ----- Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination ----- Michael Marano From: Michael Marano <[email protected]> Date: Tue, 06 Oct 2009 13:49:02 -0700 To: Stefan Johansson <[email protected]>, <[email protected]> Conversation: Kernel tuning recommendations Subject: Re: Kernel tuning recommendations Stefan, That seems to have eliminated any log messages in my staging environment under a load test. I think that will do the trick. Thanks for your help. Any general recommendations for sysctl settings would still be appreciated. This is the first time I¹ve had to tune the kernel settings so any guidance will help. Michael Marano From: Stefan Johansson <[email protected]> Date: Tue, 6 Oct 2009 22:27:49 +0200 To: Michael Marano <[email protected]>, <[email protected]> Subject: RE: Kernel tuning recommendations iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
