| # tail -1 /etc/lsb-release DISTRIB_DESCRIPTION="Ubuntu 10.10" # uname -a 2.6.35-25-server #44-Ubuntu SMP Fri Jan 21 19:09:14 UTC 2011 x86_64 GNU/Linux |
I saw the following errors on my DNS Server runnning unbound.
/var/log/message
| kernel: [96324.941657] nf_conntrack: table full, dropping packet. |
or you can also see same messages via dmesg
| # dmesg | tail -1 [96324.941657] nf_conntrack: table full, dropping packet. |
This seems to be caused by a full “iptables connection_table” due to DDoS , a huge amount of traffic.
You may solve this by increasing “ip_conntrack_max” if you have enough Memory available.
the default value is:
| # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max 65536 |
This value is 32bit integer.
increase this value w/ sysctl command
| # sysctl -w net.netfilter.nf_conntrack_max=131072 net.netfilter.nf_conntrack_max = 131072 |
or edit sysctl.conf to reflect permanently
| # egrep conntrack /etc/sysctl.conf net.netfilter.nf_conntrack_max=131072 |
In my case , after increasing that value from 65536 to 131072 , I haven’t seen above errors :)
perfect
ReplyDeletethanks mate
Thanks for stopping by my blog.
ReplyDeleteMy pleasure :)