On Sat, Dec 19, 2009 at 05:14:42PM -0500, John Lauro wrote: > Are you using connection tracking with iptables? If so, you might want to > consider using a more basic configuration without connection tracking.
Indeed! most likely you have a rule somewhere which does a REJECT on INVALID packets and those poor users are running a buggy TCP stack which breaks window scaling, SACKs or things like this, regularly causing some INVALID packets to be detected by the conntrack code. Once I even found a user who was doing all of his browsing using the same TCP source port ! You bet the conntrack has good reasons to complain. The other common issue with conntrack as shipped in common distros is that it's tuned for a desktop system (ie not tuned). And the table fills very fast when you use that on a server. You can easily detect this by messages in kernel logs : "Conntrack table is full". Regards, Willy
