Small blog about system administration.

IPTABLES: ip_conntrack: table full, dropping packet.

The server reporting the following message in /var/log/messages (syslog):

ip_conntrack: table full, dropping packet.

How do I fix this error?

Generally, the ip_conntrack_max is set to the total MB of RAM installed multiplied by 16. 
However, server had 4GB of RAM, but ip_conntrack_max was set to 65536:

# cat /proc/sys/net/ipv4/ip_conntrack_max 65536

If you want to check your server's current tracked connections, just run the following:

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

If you want to adjust it (as I did), just run the following as root:

# echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max

This solves the problem at this moment, but after a reboot the initial value will be restored.
To make this persistent you have to add a line like 'net.ipv4.ip_conntrack_max=131072' to /etc/sysctl.conf

# echo 'net.ipv4.ip_conntrack_max=131072' >> /etc/sysctl.conf

No comments :

Post a Comment