Re: Help with IPTables

From: Marcus Herou <marcus.herou#tailsweep.com>
Date: Mon, 29 Sep 2008 20:26:53 +0200


Thanks! I think that did it. How do you know the actual size of that bastard parameter ?

Just to be clear I have not enabled conntrack explicitly, comes enabled with the kernel I guess. Does not iptables need conntrack ?

Anyway since you are the experts in this backyard what FW do you use to protect a LB ?

Kindly

//Marcus

On Mon, Sep 29, 2008 at 7:43 PM, Patrick Viet <patrick.viet#gmail.com>wrote:

> deactivate conntrack if you can.
> otherwise,
>
> sysctl -w net.nf_conntrack_max=400000
> should help
>
> (and add net.nf_conntrack_max=400000 to /etc/sysctl.conf)
>
>
> Patrick
>
> On Mon, Sep 29, 2008 at 7:40 PM, Marcus Herou
> <marcus.herou#tailsweep.com> wrote:
> > Hi.
> >
> > The lb service is flapping as hell and I think it can have something to
> do
> > with iptables and conntrack.
> >
> > I have lots and lots of these in the syslog.
> >
> > Sep 29 19:39:10 mapreduce1 kernel: [4256497.364051] printk: 1323 messages
> > suppressed.
> > Sep 29 19:39:10 mapreduce1 kernel: [4256497.364055] nf_conntrack: table
> > full, dropping packet.
> > Sep 29 19:39:14 mapreduce1 kernel: [4256501.908943] iptables denied:
> IN=eth1
> > OUT= MAC=00:30:48:67:2c:39:00:d0:01:9f:20:00:08:00 SRC=79.102.133.200
> > DST=79.136.112.194 LEN=64 TOS=0x00 PREC=0x00 TTL=119 ID=42809 DF
> PROTO=TCP
 > > SPT=2093 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
> >
> >
> > sysctl -a|grep conntrack
> > error: permission denied on key 'kernel.sched_nr_migrate'
> > error: permission denied on key 'net.ipv4.route.flush'
> > net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
> > net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
> > net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
> > net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
> > net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
> > net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
> > net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
> > net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
> > net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
> > error: permission denied on key 'net.ipv6.route.flush'
> > net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
> > net.ipv4.netfilter.ip_conntrack_tcp_loose = 1
> > net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
> > net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
> > net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
> > net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
> > net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
> > net.ipv4.netfilter.ip_conntrack_max = 65536
> > net.ipv4.netfilter.ip_conntrack_count = 65535
> > net.ipv4.netfilter.ip_conntrack_buckets = 16384
> > net.ipv4.netfilter.ip_conntrack_checksum = 1
> > net.ipv4.netfilter.ip_conntrack_log_invalid = 0
> > net.netfilter.nf_conntrack_generic_timeout = 600
> > net.netfilter.nf_conntrack_max = 65536
> > net.netfilter.nf_conntrack_count = 65536
> > net.netfilter.nf_conntrack_buckets = 16384
> > net.netfilter.nf_conntrack_checksum = 1
> > net.netfilter.nf_conntrack_log_invalid = 0
> > net.netfilter.nf_conntrack_expect_max = 256
> > net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
> > net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
> > net.netfilter.nf_conntrack_tcp_timeout_established = 432000
> > net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
> > net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
> > net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
> > net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
> > net.netfilter.nf_conntrack_tcp_timeout_close = 10
> > net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
> > net.netfilter.nf_conntrack_tcp_loose = 1
> > net.netfilter.nf_conntrack_tcp_be_liberal = 0
> > net.netfilter.nf_conntrack_tcp_max_retrans = 3
> > net.netfilter.nf_conntrack_udp_timeout = 30
> > net.netfilter.nf_conntrack_udp_timeout_stream = 180
> > net.netfilter.nf_conntrack_icmp_timeout = 30
> > net.nf_conntrack_max = 65536
> >
> >
> > Anyone ?
> >
> > Kindly
> >
> > //Marcus
> >
> >
> > --
> > Marcus Herou CTO and co-founder Tailsweep AB
> > +46702561312
> > marcus.herou#tailsweep.com
> > http://www.tailsweep.com/
> > http://blogg.tailsweep.com/
> >
>

-- 
Marcus Herou CTO and co-founder Tailsweep AB
+46702561312
marcus.herou#tailsweep.com
http://www.tailsweep.com/
http://blogg.tailsweep.com/
Received on 2008/09/29 20:26

This archive was generated by hypermail 2.2.0 : 2008/09/29 20:32 CEST