Results 1 to 1 of 1
|
|
Enjoy an ad free experience by logging in. Not a member yet? Register.
|
|
-
12-03-2015 #1Linux User
- Join Date
- Apr 2011
- Posts
- 486
Nearly full conntrack table, 60K lines
Hello,
im having CentOS (redhat) OpenVZ VPS and i do command:
wc -l /proc/net/nf_conntrack
sysctl net.netfilter.nf_conntrack_count && sysctl net.nf_conntrack_max62109 /proc/net/nf_conntrack
tail & head on /proc/net/nf_conntracknet.netfilter.nf_conntrack_count = 62095
net.nf_conntrack_max = 65536
shows connection like this one (ESTABLISHED, ASSURED)
Apache shows that many different IPs (800+) trying to connect one web directory (which is empty), the connection speed can be like 5 IPs per second.ipv4 2 tcp 6 401407 ESTABLISHED src=SOMEONEELSEIP dst=MYSERVERIPHERE sport=53375 dport=80 src=MYSERVERIPHERE dst=SOMEONEELSEIP sport=80 dport=53375 [ASSURED] mark=0 secmark=0 use=2
cat /etc/sysctl.conf | grep =
i tried to add these lines into above file, but conntrack table do not decrease:net.ipv4.ip_forward = 0
# net.ipv4.conf.default.rp_filter = 1
# net.ipv4.conf.default.accept_source_route = 0
# kernel.sysrq = 0
# kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# kernel.msgmnb = 65536
# kernel.msgmax = 65536
# kernel.shmmax = 68719476736
# kernel.shmall = 4294967296
then i tried # sysctl -pnet.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_generic_timeout = 120
# sysctl -a | grep conn | grep timenet.ipv4.ip_forward = 0
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
error: permission denied on key 'net.netfilter.nf_conntrack_tcp_timeout_establishe d'
error: permission denied on key 'net.netfilter.nf_conntrack_generic_timeout'
I want to ask for kind advice how can anyhow secure server to prevent such high number of lines in connection tracking table? And if i can temporarily clean that table, how? How would you advise to tweak the settings? The server normal connections rate is like 50 connections per second i guess, it is webserver.net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowled ged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
Thank you
Update:
1) this helped to temporarily reduce conntrack table size:
yum install conntrack-tools # install conntrack tools
conntrack -D -d MYSERVERIP # delete conntrack entries where destination ip is my server ip
2) And also temporarilly increasing conntrack table size limit: echo 66666 > /proc/sys/net/netfilter/nf_conntrack_max
3) Into /etc/sysctl.conf i added:
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_generic_timeout = 120Last edited by postcd; 12-04-2015 at 12:48 AM.
https://zeronet.io - Open, free and uncensorable websites, using Bitcoin cryptography and BitTorrent network
Reply With Quote
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
