Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [conntrack]

71 questions
2
votes
1 answer

"nf_conntrack: table full, dropping packet" even though nf_conntrack_count is much less than nf_conntrack_max

I have a node in our cluster which gets lots of "nf_conntrack: table full, dropping packet" messages in the syslog. I checked the nf_conntrack_count and it was running right up against the nf_conntrack_max. Looking into the table, I saw most of the…
Matthew Sharp
  • 200
  • 3
  • 8
2
votes
3 answers

Conntrack shows no result

I tried the command conntrack -L and it returns nothing when I have a ping www.google.com running. I also tried to load the module by modprobe nf_conntrack. But it still always returns conntrack v1.0.0 (conntrack-tools): 0 flow entries have been…
manxing
  • 121
  • 2
2
votes
2 answers

How to mitigate error "kernel: nf_conntrack: table full, dropping packet"

We recently had a problem with one of our servers (Debian Squeeze) becoming unresponsive during heavy-ish load. Looking at the kernel logs, I think this is the cause: kernel: nf_conntrack: table full, dropping packet As I understand it, this is…
UpTheCreek
  • 1,598
  • 10
  • 31
  • 45
2
votes
3 answers

Capture first packet of established TCP connection with iptables?

I'm looking for a way to examine the first packet only of a newly established TCP connection (the first packet with actual payload, that is). Is there a way to do this with iptables? Matching ESTABLISHED packets would match all packets of a…
N.A.
  • 23
  • 1
  • 3
2
votes
0 answers

A minmal iptables ruleset for a high volume Nginx reverse proxy (or: how to use NOTRACK for http and https)?

I'm looking for a minimal iptables ruleset for a rather high volume Nginx/Varnish reverse proxy. I'd like to close down the server, so that only ports 80 and 22 are open at all for connections from the outsite. Furthermore, I'd like to exclude the…
flight
  • 384
  • 3
  • 14
2
votes
2 answers

error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key

I have a problem on Ubuntu 10.04.3 LTS x64 with sysctl net.ipv4.netfilter.ip_conntrack_max . If I run this command on shell, I get back an error: error: net.ipv4.netfilter.ip_conntrack_max" is an unknown key. It occurred on 2 of our machines after…
Arny80Hexa
  • 139
  • 1
  • 4
  • 14
2
votes
1 answer

Conntrack, failed to NAT its own TCP packets from another VRF

I came across a tricky problem with source NAT when using multiple VRF on a Debian based router. It's a bit complex to explain, so I will try to be clear, but it will not be short, sorry for that. The problem should be easy to reproduce though. To…
Dainii
  • 31
  • 2
1
vote
0 answers

CEPH netfilter connection tracking issues

We have a CEPH cluster (Ubuntu 18.04, Luminous) for Openstack images and volumes. As I was taking it into production I found many performance issues, slow OSDs, and throughput down to a trickle; this turned out to be due to the iptables rules. As is…
Dennis
  • 11
  • 1
1
vote
1 answer

"use" column in /proc/net/ip_conntrack or nf_conntrack?

i'd like to hack together my own little script to parse conntrack data, to get customized network information from some Linux boxes that are also NAT routers. an example of a line from the conntrack tables is: ipv4 2 tcp 6 300 ESTABLISHED…
Moritz von Schweinitz
  • 243
  • 1
  • 2
  • 10
1
vote
1 answer

Linux Log all tcp new connections

On my linux host I want to get per minute logs of all the new tcp connections being created. I have multiple tap devices on my host from which various are trying to create the tcp connections. I have iptable POSTROUTING MASQUERADE rule on my…
Prashant Singh
  • 11
  • 4
1
vote
2 answers

IPtables blocking SSH only if using conntrack

Error As you can see, the only difference between the working and the not working configuration is -m conntrack --ctstate NEW,ESTABLISHED,RELATED. If I use -m conntrack --ctstate NEW,ESTABLISHED it does not work either... But Why?! After few tests,…
flexbrane
  • 21
  • 4
1
vote
1 answer

Conntrack is blocking UDP NAT

I'm working on an application that should relay udp packets from one host to another according to some rules. It is basically NAT. I negotiate UDP ports with both hosts and after that I need to receive from host A and send to host B with the…
Vargas
  • 143
  • 1
  • 8
1
vote
2 answers

How to pass to NFQUEUE all incoming connection packets

I develop an application to inspect packets arriving on a linux machine. I would like to send in NFQUEUE all the incoming connection packets and only the incoming ones. Not only --state NEW but also --state ESTABLISHED, RELATED for connections that…
vx3r
  • 368
  • 2
  • 9
1
vote
1 answer

IPv6 traffic from 0001 and Link Local (FE80::1)

Trying to get the basic firewall setup for IPv6 using ip6tables (this is on Ubuntu server 16.04). On the INPUT chain, whenever there is client-initiated IPv6 traffic (e.g. running 'apt update'), I get tons of packets from what I assume to be the…
Vic Morrowshead
  • 33
  • 1
  • 5
1
vote
1 answer

conntrack delete does not stop runnig copy of big file

I have a router with nat port forwarding configured. I launched a http copy of big file via the nat. The http server is hosted on the LAN PC which contains the big file to download. I launched the file download from WAN PC. I disabled the nat rule…
MOHAMED
  • 151
  • 7
1
2
3 4 5