aMule Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

We're back! (IN POG FORM)

Pages: 1 [2]

Author Topic: ip_conntrack: table full, dropping packet.  (Read 11092 times)

bill_bool

  • Approved Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 31
Re: ip_conntrack: table full, dropping packet.
« Reply #15 on: February 27, 2005, 01:35:52 PM »
Quote
Originally posted by Vollstrecker
Without contrack, I would miss IRC support. I've just set Queue to 1000 and the problem was gone.

I tried with queue set to 500, and I still have the same problem... around 5000 connections on my PC and my router stalling with approx. 3800 connections :(
Logged
Kubuntu Feisty on Asus a7n8x-x, XP3000+ FSB333, 1Go DDR3200, ext3fs, behind WRT54G/Tomato 1.07 on a 20mb ADSL connection.

hgg

  • Newbie
  • Karma: 0
  • Offline Offline
  • Posts: 4
Re: ip_conntrack: table full, dropping packet.
« Reply #16 on: February 28, 2005, 11:32:12 AM »
I've managed to optimize my iptables filters:

Code: [Select]
iptables -t raw -A OUTPUT -p TCP -s 0/0 --dport 4662 -j NOTRACK
iptables -t raw -A OUTPUT -p TCP -s 0/0 --sport 4662 -j NOTRACK
iptables -t raw -A PREROUTING -p TCP -s 0/0 --sport 4662 -j NOTRACK
iptables -t raw -A PREROUTING -p TCP -s 0/0 --dport 4662 -j NOTRACK

iptables -t raw -I OUTPUT 1 -m state --state UNTRACKED -j ACCEPT
iptables -t raw -I PREROUTING 1 -m state --state UNTRACKED -j ACCEPT
iptables -I INPUT 1 -m state --state UNTRACKED -j ACCEPT
iptables -I OUTPUT 1 -m state --state UNTRACKED -j ACCEPT
With this rules I do not track port 4662 and I can get high ids! The number of established connections keeps growing but at a very slow pace, slow enough to time out in five days without filling ip_conntrack.

It's still annoying, but now I do not have to reboot every 2, 3 days... Of course this will not solve the problem with the routers. :-(

I'm using CVS from 20050219, should I upgrade?
« Last Edit: February 28, 2005, 11:34:28 AM by hgg »
Logged

Vollstrecker

  • Administrator
  • Hero Member
  • *****
  • Karma: 67
  • Offline Offline
  • Posts: 1550
  • Unofficial Debian Packager
    • http://vollstreckernet.de
Re: ip_conntrack: table full, dropping packet.
« Reply #17 on: March 12, 2005, 10:36:57 PM »
Are these rules set in Addition to the nromal rules, or in place of them?
Logged
Homefucking is killing prostitution

Vollstrecker

  • Administrator
  • Hero Member
  • *****
  • Karma: 67
  • Offline Offline
  • Posts: 1550
  • Unofficial Debian Packager
    • http://vollstreckernet.de
Re: ip_conntrack: table full, dropping packet.
« Reply #18 on: March 13, 2005, 10:17:45 PM »
I have now the following setuo, and get an Low ID, Without the last 8 lines I have an High one, but the contrack problem. Whats wrong with these rules?

$IPT -t nat -A POSTROUTING -o $EXTIF -p TCP -s $Werner1 --sport 4662 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -p TCP -s $Werner1 --dport 4662 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -p UDP -s $Werner1 --dport 4672 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -p TCP -s $Werner1 --dport 4661 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -p UDP -s $Werner1 --dport 4665 -j MASQUERADE
$IPT -t nat -i $EXTIF -I PREROUTING -p tcp --dport 4662 -j DNAT --to-destination $Werner1:4662
$IPT -t nat -i $EXTIF -I PREROUTING -p udp --dport 4665 -j DNAT --to-destination $Werner1:4665
$IPT -t nat -i $EXTIF -I PREROUTING -p udp --dport 4672 -j DNAT --to-destination $Werner1:4672
$IPT -I FORWARD -p TCP --sport 4662 -j ACCEPT
$IPT -I FORWARD -p TCP --dport 4662 -j ACCEPT
$IPT -I FORWARD -p UDP --dport 4672 -j ACCEPT
$IPT -I FORWARD -p TCP --dport 4661 -j ACCEPT
$IPT -I FORWARD -p UDP --dport 4662 -j ACCEPT
$IPT -I FORWARD -p UDP --dport 4662 -j ACCEPT
$IPT -I FORWARD -p UDP --dport 4665 -j ACCEPT
$IPT -I FORWARD -p UDP --dport 4672 -j ACCEPT

$IPT -t raw -A OUTPUT -p TCP -s 0/0 --dport 4662 -j NOTRACK
$IPT -t raw -A OUTPUT -p TCP -s 0/0 --sport 4662 -j NOTRACK
$IPT -t raw -A PREROUTING -p TCP -s 0/0 --sport 4662 -j NOTRACK
$IPT -t raw -A PREROUTING -p TCP -s 0/0 --dport 4662 -j NOTRACK
$IPT -t raw -I OUTPUT 1 -m state --state UNTRACKED -j ACCEPT
$IPT -t raw -I PREROUTING 1 -m state --state UNTRACKED -j ACCEPT
$IPT -I INPUT 1 -m state --state UNTRACKED -j ACCEPT
$IPT -I OUTPUT 1 -m state --state UNTRACKED -j ACCEPT
Logged
Homefucking is killing prostitution

GonoszTopi

  • The current man in charge of most things.
  • Administrator
  • Hero Member
  • *****
  • Karma: 169
  • Offline Offline
  • Posts: 2685
Re: ip_conntrack: table full, dropping packet.
« Reply #19 on: March 14, 2005, 08:19:49 PM »
$IPT -t raw -A OUTPUT -p TCP -s 0/0 --dport 4662 -j NOTRACK
$IPT -t raw -A OUTPUT -p TCP -s 0/0 --sport 4662 -j NOTRACK
$IPT -t raw -A PREROUTING -p TCP -s 0/0 --sport 4662 -j NOTRACK
$IPT -t raw -A PREROUTING -p TCP -s 0/0 --dport 4662 -j NOTRACK
$IPT -t raw -I OUTPUT 1 -m state --state UNTRACKED -j ACCEPT
$IPT -t raw -I PREROUTING 1 -m state --state UNTRACKED -j ACCEPT
$IPT -I INPUT 1 -m state --state UNTRACKED -j ACCEPT
$IPT -I OUTPUT 1 -m state --state UNTRACKED -j ACCEPT

Vollstrecker, give it a try without the red lines.

Note: and you have
$IPT -I FORWARD -p UDP --dport 4665 -j ACCEPT
twice ...
Logged
concordia cum veritate

skolnick

  • Global Moderator
  • Hero Member
  • *****
  • Karma: 24
  • Offline Offline
  • Posts: 1188
  • CentOS 6 User
Re: ip_conntrack: table full, dropping packet.
« Reply #20 on: March 14, 2005, 09:52:30 PM »
Quote
Originally posted by GonoszTopi
Note: and you have
$IPT -I FORWARD -p UDP --dport 4665 -j ACCEPT
twice ...
In fact the repeated line is this:

$IPT -I FORWARD -p UDP --dport 4662 -j ACCEPT

Regards.
Logged

Vollstrecker

  • Administrator
  • Hero Member
  • *****
  • Karma: 67
  • Offline Offline
  • Posts: 1550
  • Unofficial Debian Packager
    • http://vollstreckernet.de
Re: ip_conntrack: table full, dropping packet.
« Reply #21 on: March 14, 2005, 09:57:06 PM »
I commented out the red ones, but nothing changed.
Logged
Homefucking is killing prostitution
Pages: 1 [2]
« previous next »