Find the answer to your Linux question:
Results 1 to 1 of 1
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Nearly full conntrack table, 60K lines


    Hello,

    im having CentOS (redhat) OpenVZ VPS and i do command:

    wc -l /proc/net/nf_conntrack
    62109 /proc/net/nf_conntrack
    sysctl net.netfilter.nf_conntrack_count && sysctl net.nf_conntrack_max
    net.netfilter.nf_conntrack_count = 62095
    net.nf_conntrack_max = 65536
    tail & head on /proc/net/nf_conntrack

    shows connection like this one (ESTABLISHED, ASSURED)

    ipv4 2 tcp 6 401407 ESTABLISHED src=SOMEONEELSEIP dst=MYSERVERIPHERE sport=53375 dport=80 src=MYSERVERIPHERE dst=SOMEONEELSEIP sport=80 dport=53375 [ASSURED] mark=0 secmark=0 use=2
    Apache shows that many different IPs (800+) trying to connect one web directory (which is empty), the connection speed can be like 5 IPs per second.

    cat /etc/sysctl.conf | grep =
    net.ipv4.ip_forward = 0
    # net.ipv4.conf.default.rp_filter = 1
    # net.ipv4.conf.default.accept_source_route = 0
    # kernel.sysrq = 0
    # kernel.core_uses_pid = 1
    net.ipv4.tcp_syncookies = 1
    net.bridge.bridge-nf-call-ip6tables = 0
    net.bridge.bridge-nf-call-iptables = 0
    net.bridge.bridge-nf-call-arptables = 0
    # kernel.msgmnb = 65536
    # kernel.msgmax = 65536
    # kernel.shmmax = 68719476736
    # kernel.shmall = 4294967296
    i tried to add these lines into above file, but conntrack table do not decrease:
    net.netfilter.nf_conntrack_tcp_timeout_established = 600
    net.netfilter.nf_conntrack_generic_timeout = 120
    then i tried # sysctl -p
    net.ipv4.ip_forward = 0
    net.ipv4.tcp_syncookies = 1
    error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
    error: "net.bridge.bridge-nf-call-iptables" is an unknown key
    error: "net.bridge.bridge-nf-call-arptables" is an unknown key
    error: permission denied on key 'net.netfilter.nf_conntrack_tcp_timeout_establishe d'
    error: permission denied on key 'net.netfilter.nf_conntrack_generic_timeout'
    # sysctl -a | grep conn | grep time
    net.netfilter.nf_conntrack_generic_timeout = 600
    net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
    net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
    net.netfilter.nf_conntrack_tcp_timeout_established = 432000
    net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
    net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
    net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
    net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
    net.netfilter.nf_conntrack_tcp_timeout_close = 10
    net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
    net.netfilter.nf_conntrack_tcp_timeout_unacknowled ged = 300
    net.netfilter.nf_conntrack_udp_timeout = 30
    net.netfilter.nf_conntrack_udp_timeout_stream = 180
    net.netfilter.nf_conntrack_icmp_timeout = 30
    net.netfilter.nf_conntrack_events_retry_timeout = 15
    I want to ask for kind advice how can anyhow secure server to prevent such high number of lines in connection tracking table? And if i can temporarily clean that table, how? How would you advise to tweak the settings? The server normal connections rate is like 50 connections per second i guess, it is webserver.

    Thank you

    Update:
    1) this helped to temporarily reduce conntrack table size:
    yum install conntrack-tools # install conntrack tools
    conntrack -D -d MYSERVERIP # delete conntrack entries where destination ip is my server ip

    2) And also temporarilly increasing conntrack table size limit: echo 66666 > /proc/sys/net/netfilter/nf_conntrack_max

    3) Into /etc/sysctl.conf i added:
    net.netfilter.nf_conntrack_tcp_timeout_established = 600
    net.netfilter.nf_conntrack_generic_timeout = 120
    Last edited by postcd; 12-04-2015 at 12:48 AM.
    https://zeronet.io - Open, free and uncensorable websites, using Bitcoin cryptography and BitTorrent network

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •