All,

This may be useful to you -- it has really helped some of my very busy
servers.  

Background:  I run iptables on a number of Internet facing mail relays
mostly running Red Hat Enterprise Linux v.3 (current kernel is 2.4.21).
Some servers had issues running out of ip_conntrack slots and dropping
packets.  ip_conntrack is the connection tracking table for stateful
connections -- the default timeout is 6 days.  That can be adjusted in
kernel 2.4.23 and above, but nothing less.  Once you start seeing the
wonderful message: "ip_conntrack: table full, dropping packet" in your
logs and console, a reboot is in order to restore sane operation.  While
you can increase the ip_conntrack table size, it uses non-swappable RAM
(on a system with 1GB or greater of RAM, the default size of 65536 will
use about 20MB of RAM, and it's best to increment it in powers of 2).

We just upgraded a couple affected servers to RH 4 and thus are now
running on a 2.6.9 kernel which has a whole slew of different timeout
values that can be adjusted, but also supports an enhancement that will
make a lot of difference for us.  The following rules tell iptables to
accept but not create ip_conntrack table entries for localhost traffic:

iptables -t raw -A PREROUTING -i lo -j NOTRACK
iptables -A INPUT -i lo -j ACCEPT

For our servers about a third of the ip_conntrack entries were source
and dest 127.0.0.1 (very heavy and creative DNS usage).

I don't know why anyone would want to track localhost connections, but
that is the default.  I thought I'd pass this along as a useful trick to
decrease the load.

Richard Wilson



---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss