System is centos
There are two ways to check the nf_conntrack table entries, and I am getting different results with each of them after the firewall has been running for a day or so.
wc -l /proc/net/nf_conntrack
shows a reasonable number for the traffic through the firewall
# wc -l /proc/net/nf_conntrack
conntrack -C (using the conntrack-tools)
# conntrack -C
If I do
Method 1 (line count) shows very low numbers and flush appears to have worked.
Method 1 shows the previous number minus the number of entries removed from the /proc/net/nf_conntrack table.
Using the figures above it would show 16474.
If left alone, the number reported by conntrack -C keeps increasing and packets are dropped when it reaches net.nf_conntrack_max.
As a temporary reprieve I have increased the maximum as follows as a temporary measure in sysctl.conf I added.
# Increase the nf_conntrack maximum from 65536 to 524288
net.nf_conntrack_max = 524288
If anyone has experienced a similar issue and has knowledge please help.
I'd be interested if anyone has a suggestion for trouble shooting this as
System details are as follows:-
Centos 6.10 with updates current to approximately 1.5 months previous as reboots are a challenge with 24hr operation.
# uname -a
Linux svfwl02.dbct.com.au 2.6.32-754.el6.x86_64 #1 SMP Tue Jun 19 21:26:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release
CentOS release 6.10 (Final)
# rpm -q iptables
rpm -q conntrack-tools
Please point me to the relevant netfilter forum if this may be better asked there.
My first post here, but now I'm registered I hope to be of assistance to others.
Issues related to configuring your network
1 post • Page 1 of 1