On Tue, Oct 06, 2009 at 03:04:55PM -0700, Michael Marano wrote: > Subsequent load tests proved me wrong. I¹m still getting the nf_conntrack > messages. Perhaps I¹ve misconfigigured my iptables rules?
I suspect this is because conntrack entries are created again on backwards traffic. Also, in my opinion, the 8080 port below will no match because those are outgoing packets. I *think* you should try this way : sudo /sbin/iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK sudo /sbin/iptables -t raw -A OUTPUT -p tcp --sport 80 -j NOTRACK sudo /sbin/iptables -t raw -A OUTPUT -p tcp --dport 8080 -j NOTRACK sudo /sbin/iptables -t raw -A PREROUTING -p tcp --sport 8080 -j NOTRACK You can also tune your nf_conntrack module to accept more entries, by default the number of connections is very low. You must also increase the hash size so that it does not eat all your CPU. In older versions this was specified as a module parameter at load time (check modinfo), and on recent versions you can tune that in /proc/sys/net (check for nf_conntrack_max, nf_conntrack_htable_size). But I agree with Stefan, most of the time you don't need nf_conntrack on a machine running haproxy, because that machine most likely is dedicated. So you can run with stateless port filtering. Basically 2-3 rules to allow incoming HTTP, SSH and drop everything else. Regards, Willy
