All,
Running RH EL 4 Kernel 2.6.9-42.0.3.ELsmp, iptables v1.2.11
I added the following rule to prevent the ip_conntrack table from
tracking localhost connections:
iptables -t raw -A PREROUTING -i lo -j NOTRACK
The monitor script in place to allow us to reboot this system gracefully
when the ip_conntrack table runs out of space reports when it reaches
90% of capacity (determined by ip_conntrack | wc -l / ip_conntrack_max).
I now have a couple copies of the ip_conntrack table a short time before
it ran out of space and I find a LOT (5k+) of connections with
"src=127.0.0.1 dst=127.0.0.0" in the table. Is there a better way to
create a rule to not track localhost connections?
This server has 4GB of RAM and uses the default value of 65536 for the
ip_conntrack table size. I have already changed the
ip_conntrack_tcp_timeout_established value from its default of 432000 (5
days) to 172800 (2 days) and it still ran out of table slots. This
change was made earlier today, a couple hours before the table filled
up. The localhost traffic cited above is mostly udp traffic (complex
DNS stuff going on). The server handles mail to/from the Internet, so
has a lot of short term connections.
>>From what I've read, increasing the size of the ip_conntrack table is
best done by powers of 2 -- is this still the case? I calculated that
the current table size is roughly 40MB of non-swappable RAM, so I have
room to increase it if all else fails.
Thanks in advance,
Richard Wilson
EDS
richard dot wilson at eds dot com
|