Re: [time] ip_conntrack: table full, dropping packet

Patrick Domack Sun, 27 Dec 2009 19:22:57 -0800

This works great for me:

iptables -A OUTPUT -p 17 --dport 123 -j NOTRACK
iptables -A OUTPUT -p 17 --sport 123 -j NOTRACK
iptables -A PREROUTING -i eth0 -p 17 --dport 123 -j NOTRACK


or if you happen to use shorewall, in the notrack file:

net             0.0.0.0/0       udp             123
fw              0.0.0.0/0       udp             123
fw              0.0.0.0/0       udp             -               123


Quoting Thomas Rieschl <[email protected]>:

Hello!

Sometimes I get a lot of those lines in my syslog:
ip_conntrack: table full, dropping packet

And sometimes my server hangs because of that.

I want to prevent those system downtimes, and I want to track thesource of this error.

apache, postfix,... don't cause that much connections, so I thought of NTP.

The /proc/sys/net/ipv4/ip_conntrack_max is set to 16896.

Is it possible that I get more than 16896 connections from my NTP?

That sounds quite a lot to me...



Thanks for your help!

Cheers,
Thomas

_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers




_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers

Re: [time] ip_conntrack: table full, dropping packet

Reply via email to