LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page ip_conntrack table full
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-01-2004, 12:26 AM   #1
Skunk_Face
Member
 
Registered: Jan 2004
Posts: 54

Rep: Reputation: 15
ip_conntrack table full

I have recently installed ipp2p for bittorent and other p2p application blocking on my gateway firewall.
Then i inseted the following rule in my firewall script:

iptables -A INPUT -p tcp -m ipp2p --ipp2p -j LOG --log-prefix "P2P detect"
iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j LOG --log-prefix "P2P detect"
iptables -A INPUT -p tcp -m ipp2p --ipp2p -j DROP
iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP

This seemed to work well for a bit, but then I had problems with the box slowing to a crawl and ended up having to reboot the system. Checked the logs and found a couply hundred lines with

>>ip_conntrack: table full, dropping packet

Im not too familiar with networking but im guessing somehow that when the script drops a packet or connection, the connection is still stored in the ip_conntrack table. Is there a way around this?
Alternatively, will changing the rule from DROP to REJECT --reject-with tcp-reset work? Im going on the basis that if a reset packet was sent then the connrection will be dropped from ip_conntrack.

Again Im not very clear on the concept of ip_conntrack so would appreciate any info and help i can get on this.

Thanks
 
Old 11-01-2004, 05:14 PM   #2
racine
LQ Newbie
 
Registered: Apr 2004
Distribution: Homemade
Posts: 2

Rep: Reputation: 0
You can increase the number of connections to track, this page will explain how:
http://www.wallfire.org/misc/netfilt...track_perf.txt
Cheers,
PA
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
polygraph ip_conntrack question blackzone Linux - Networking 0 01-20-2005 02:48 AM
ip_conntrack and worms arthurb Linux - Networking 6 12-18-2004 12:52 PM
ip_conntrack: table full, dropping packet. ingerul Linux - Networking 9 12-03-2004 01:46 PM
ip_conntrack table full despite relatively few connections tvynr Linux - Networking 3 10-04-2004 05:03 PM
ip_conntrack Belize Linux - General 3 03-23-2004 02:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:47 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration