When we turned on iptables, there will be such a phenomenon occurs, packet loss. ping words will intermittent packet loss, ifconfig see card dropped: XXX has been increasing, messages log has the following contents:
ip_conntrack table full of lead after iptables open loads ip_conntrack module to track the package. By default ip_conntrack_max size of 65536. iptables lead to failure of one case ftp list see:
PureFTP read the directory list failed to solve the
view ip_conntrack maximum size:
# cat /proc/sys/net/ipv4/ip_conntrack_max
View the current ip_conntrack Size:
# wc -l /proc/net/ip_conntrack
Workaround: 1. Change the size ip_conntrack
# /etc/sysctl.conf
net.ipv4.netfilter.ip_conntrack_max = 6553600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 300
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 12
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
# sysctl -p 使其生效
This solution, you need to reboot after each iptables, must survive a sysctl -p, it can also be written to the sysctl -p iptables startup script. But ip_conntrack full of hidden dangers still exist. 2. ip_conntrack not loaded module to modify / etc / sysconfig / iptables-config profile
# vim /etc/sysconfig/iptables-config
IPTABLES_MODULES=""
/ Etc / sysconfig / iptables configuration state rules do not, such as:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
After setting these, if there is a scheme set kernel parameters, perform sysctl -p will report the following error: error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait " is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key this case because the module is not loaded ip_conntrack caused. This is not what I want it? Look at whether ip_conntrack loaded modules:
the recommended use of the program 2. For reprint please indicate the source:
the ip_conntrack dropping the Table Full Packet Solutions
http://www.ttlsa.com/html/2303.html
Reproduced in: https: //my.oschina.net/766/blog/210930