On Sat, Dec 19, 2009 at 05:14:42PM -0500, John Lauro wrote:
> Are you using connection tracking with iptables? If so, you might want to
> consider using a more basic configuration without connection tracking.
Indeed!
most likely you have a rule somewhere which does a REJECT on INVALID packets and those poor users are running a buggy TCP stack which breaks window scaling, SACKs or things like this, regularly causing some INVALID packets to be detected by the conntrack code.
Once I even found a user who was doing all of his browsing using the same TCP source port ! You bet the conntrack has good reasons to complain.
The other common issue with conntrack as shipped in common distros is that it's tuned for a desktop system (ie not tuned). And the table fills very fast when you use that on a server. You can easily detect this by messages in kernel logs : "Conntrack table is full".
Regards,
Willy
Received on 2009/12/20 06:57
This archive was generated by hypermail 2.2.0 : 2009/12/20 07:00 CET