Re: [time] ip_conntrack: table full, dropping packet

Thomas Rieschl Mon, 28 Dec 2009 04:08:32 -0800

Hi,

That was the hint I needed :)

Perhaps someone could put this information on the pool.ntp.org website,I'm sure I'm not the only one with that problem...


FYI: I use the following iptables-rulse in my iptables-script:
[...]
FW=/sbin/iptables
IF="eth0"
[...]
$FW -t raw -A PREROUTING -i $IF -p udp --dport 123 -j NOTRACK
$FW -t raw -A PREROUTING -i $IF -p udp --sport 123 -j NOTRACK
$FW -t raw -A OUTPUT -o $IF -p udp --dport 123 -j NOTRACK
$FW -t raw -A OUTPUT -o $IF -p udp --sport 123 -j NOTRACK
$FW -A INPUT -i $IF -p udp --dport 123 -j ACCEPT
[...]

(yeah, lines 2 and 3 aren't needed, but it doesn't hurt to apply thoserules anyway...)

Works like a charm, my conntrack-table is almost empty now ;)

Thank you for your help!

Cheers,
Thomas

On 28.12.2009 01:22, Anthony DeRobertis wrote:

Check the iptables documentation for the NOTRACK target, you should be
able to exempt NTP from connection tracking entirely.


_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers

Re: [time] ip_conntrack: table full, dropping packet

Reply via email to