ip_conntrack table full
I have recently installed ipp2p for bittorent and other p2p application blocking on my gateway firewall.
Then i inseted the following rule in my firewall script:
iptables -A INPUT -p tcp -m ipp2p --ipp2p -j LOG --log-prefix "P2P detect"
iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j LOG --log-prefix "P2P detect"
iptables -A INPUT -p tcp -m ipp2p --ipp2p -j DROP
iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP
This seemed to work well for a bit, but then I had problems with the box slowing to a crawl and ended up having to reboot the system. Checked the logs and found a couply hundred lines with
>>ip_conntrack: table full, dropping packet
Im not too familiar with networking but im guessing somehow that when the script drops a packet or connection, the connection is still stored in the ip_conntrack table. Is there a way around this?
Alternatively, will changing the rule from DROP to REJECT --reject-with tcp-reset work? Im going on the basis that if a reset packet was sent then the connrection will be dropped from ip_conntrack.
Again Im not very clear on the concept of ip_conntrack so would appreciate any info and help i can get on this.
Thanks
|