4

During load testing my server is dropping packets due to "connection tracking" way before it's running out of resources. I'm using Ubuntu Jaunty with ufw. In my syslog I get:

ip_conntrack: table full, dropping packet.

I looked at upping the max connection table size, but I don't know of an advantage for tracking these connections on these ports. I would like to know how to use ufw to tell it not to track requests to port 80 and 443.

Clarifying

  • No natting needed, it's just a web server.

Thank you.

reconbot
  • 2,435
  • 3
  • 25
  • 30

3 Answers3

4
iptables -A PREROUTING -p tcp --dport 80 -j NOTRACK 
iptables -A PREROUTING -p tcp --dport 443 -j NOTRACK

will disable connection tracking just for these ports.

robbyt
  • 1,622
  • 3
  • 14
  • 26
0

Connection tracking is an on/off switch, you cannot selectively disable it for some kind of traffic. You should increase the number of connections tracked via varius nf_conntrack_max options under /proc/sys/net. You can also consider enabling syncookies to reduce congestion effects.

Edit: It seems that iptables with -j NOTRACK allows you to disable connection tracking selectively.

hayalci
  • 3,611
  • 3
  • 25
  • 37
-1

Do you NAT? I believe without ip_conntrack you can't NAT.

Coops
  • 5,967
  • 1
  • 31
  • 52