{"id":652,"date":"2015-10-29T15:50:13","date_gmt":"2015-10-29T07:50:13","guid":{"rendered":"http:\/\/www.sulabs.net\/?p=652"},"modified":"2015-10-29T15:50:13","modified_gmt":"2015-10-29T07:50:13","slug":"nf_conntrack-table-full-dropping-packet-%e7%bb%88%e7%bb%93%e7%af%87","status":"publish","type":"post","link":"https:\/\/www.sulabs.net\/?p=652","title":{"rendered":"nf_conntrack: table full, dropping packet. \u7ec8\u7ed3\u7bc7"},"content":{"rendered":"

\u539f\u6587\u51fa\u5904\uff1ahttp:\/\/my.oschina.net\/kisops\/blog\/150995
\n\u6587\u7ae0\u4f5c\u8005\uff1akisops<\/p>\n

\u201c\u8fde\u63a5\u8ddf\u8e2a\u8868\u5df2\u6ee1\uff0c\u5f00\u59cb\u4e22\u5305\u201d\uff01\u76f8\u4fe1\u4e0d\u5c11\u7528iptables\u7684\u540c\u5b66\u90fd\u4f1a\u89c1\u8fc7\u8fd9\u4e2a\u9519\u8bef\u4fe1\u606f<\/span><\/a>\u5427\uff0c\u8fd9\u4e2a\u95ee\u9898\u66fe\u7ecf\u4e5f\u56f0\u6270\u8fc7\u6211\u597d\u957f\u4e00\u6bb5\u65f6\u95f4\u3002\u6b64\u95ee\u9898\u7684\u89e3\u51b3\u529e\u6cd5\u6709\u56db\u79cd\uff08nf_conntrack \u5728CentOS 5 \/ kernel <= 2.6.19\u4e2d\u540d\u4e3a ip_conntrack \uff09\uff1a
\n<\/p>\n

\u4e00\u3001\u5173\u95ed\u9632\u706b\u5899\u3002 \u7b80\u5355\u7c97\u66b4\uff0c\u76f4\u63a5\u6709\u6548<\/p>\n

chkconfig iptables off\u00a0\r\nchkconfig ip6tables off\u00a0\r\nservice iptables stop\u00a0\r\nservice ip6tables stop<\/pre>\n
\n
\u00a0 \u5207\u8bb0\uff1a\u5728\u9632\u706b\u5899\u5173\u95ed\u72b6\u6001\u4e0b\uff0c\u4e0d\u8981\u901a\u8fc7iptables\u6307\u4ee4\uff08\u6bd4\u5982 iptables -nL\uff09\u6765\u67e5\u770b\u5f53\u524d\u72b6\u6001\uff01\u56e0\u4e3a\u8fd9\u6837\u4f1a\u5bfc\u81f4\u9632\u706b\u5899\u88ab\u542f\u52a8\uff0c\u800c\u4e14\u89c4\u5219\u4e3a\u7a7a\u3002\u867d\u7136\u4e0d\u4f1a\u6709\u4efb\u4f55\u62e6\u622a\u6548\u679c\uff0c\u4f46\u6240\u6709\u8fde\u63a5\u72b6\u6001\u90fd\u4f1a\u88ab\u8bb0\u5f55\uff0c\u6d6a\u8d39\u8d44\u6e90\u4e14\u5f71\u54cd\u6027\u80fd\u5e76\u53ef\u80fd\u5bfc\u81f4\u9632\u706b\u5899\u4e3b\u52a8\u4e22\u5305\uff01<\/pre>\n<\/div>\n
\u4e8c\u3001\u52a0\u5927\u9632\u706b\u5899\u8ddf\u8e2a\u8868\u7684\u5927\u5c0f\uff0c\u4f18\u5316\u5bf9\u5e94\u7684\u7cfb\u7edf\u53c2\u6570<\/p>\n
1\u3001\u72b6\u6001\u8ddf\u8e2a\u8868\u7684\u6700\u5927\u884c\u6570\u7684\u8bbe\u5b9a\uff0c\u7406\u8bba\u6700\u5927\u503c CONNTRACK_MAX = RAMSIZE (in bytes) \/ 16384 \/ (ARCH \/ 32)<\/p>\n
\u4ee564G\u768464\u4f4d\u64cd\u4f5c\u7cfb\u7edf\u4e3a\u4f8b\uff0cCONNTRACK_MAX = 64*1024*1024*1024\/16384\/2 = 2097152<\/p>\n
\u5373\u65f6\u751f\u6548\u8bf7\u6267\u884c\uff1a<\/p>\n
\n
sysctl \u2013w net.netfilter.nf_conntrack_max = 2097152<\/pre>\n<\/div>\n
2\u3001\u5176\u54c8\u5e0c\u8868\u5927\u5c0f\u901a\u5e38\u4e3a\u603b\u8868\u76841\/8\uff0c\u6700\u5927\u4e3a1\/2\u3002CONNTRACK_BUCKETS = CONNTRACK_MAX \/ 8<\/p>\n
\u540c\u683764G\u768464\u4f4d\u64cd\u4f5c\u7cfb\u7edf\uff0c\u54c8\u5e0c\u6700\u4f73\u8303\u56f4\u662f 262144 ~ 1048576 \u3002<\/p>\n
\u8fd0\u884c\u72b6\u6001\u4e2d\u901a\u8fc7 sysctl net.netfilter.nf_conntrack_buckets \u8fdb\u884c\u67e5\u770b\uff0c\u901a\u8fc7\u6587\u4ef6 \/sys\/module\/nf_conntrack\/parameters\/hashsize \u8fdb\u884c\u8bbe\u7f6e<\/p>\n
\u6216\u8005\u65b0\u5efa \/etc\/modprobe.d\/iptables.conf \uff0c\u91cd\u65b0\u52a0\u8f7d\u6a21\u5757\u624d\u751f\u6548\uff1a<\/p>\n
\n
options nf_conntrack hashsize = 262144\r\n<\/pre>\n<\/div>\n
3\u3001\u8fd8\u6709\u4e9b\u76f8\u5173\u7684\u7cfb\u7edf\u53c2\u6570`sysctl -a | grep nf_conntrack`\u53ef\u4ee5\u8c03\u4f18\uff08\/etc\/sysctl.conf \uff09\uff1a<\/p>\n
\n
net.netfilter.nf_conntrack_max \u00a0= \u00a0 1048576 \u00a0\r\nnet.netfilter.ip_conntrack_tcp_timeout_established \u00a0= \u00a0 3600 \u00a0\r\nnet.netfilter.nf_conntrack_tcp_timeout_close_wait \u00a0= \u00a0 60 \u00a0\r\nnet.netfilter.nf_conntrack_tcp_timeout_fin_wait \u00a0= \u00a0 120 \u00a0\r\nnet.netfilter.nf_conntrack_tcp_timeout_time_wait \u00a0= \u00a0 120\u00a0\r\n<\/pre>\n<\/div>\n
\u4e09\u3001\u4f7f\u7528\u797c\u8868\uff0c\u6dfb\u52a0\u201c\u4e0d\u8ddf\u8e2a\u201d\u6807\u8bc6\u3002\u5982\u4e0b\u793a\u4f8b\u66f4\u9002\u5408\u684c\u9762\u7cfb\u7edf\u6216\u968f\u610f\u6027\u5f3a\u7684\u670d\u52a1\u5668\u3002\u56e0\u4e3a\u5b83\u5f00\u542f\u4e86\u8fde\u63a5\u7684\u72b6\u6001\u673a\u5236\uff0c\u65b9\u4fbf\u548c\u5916\u90e8\u901a\u4fe1\u3002\u4fee\u6539 \/etc\/sysconfig\/iptables \u6587\u4ef6\uff1a<\/p>\n
\n
*raw\u00a0\r\n# \u5bf9TCP\u8fde\u63a5\u4e0d\u542f\u7528\u8ffd\u8e2a\uff0c\u89e3\u51b3ip_contrack\u6ee1\u5bfc\u81f4\u65e0\u6cd5\u8fde\u63a5\u7684\u95ee\u9898\u00a0\r\n-A PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK\u00a0\r\n-A PREROUTING -p tcp -m tcp --dport 22 -j NOTRACK\u00a0\r\n-A PREROUTING -p tcp -m tcp --dport 21 -j NOTRACK\u00a0\r\n-A PREROUTING -p tcp -m tcp --dport 11211 -j NOTRACK\u00a0\r\n-A PREROUTING -p tcp -m tcp --dport 60000:60100 -j NOTRACK\u00a0\r\n-A PREROUTING -p tcp -s 192.168.10.1 -j NOTRACK\u00a0\r\n-A OUTPUT -p tcp -m tcp --sport 80 -j NOTRACK\u00a0\r\n-A OUTPUT -p tcp -m tcp --sport 22 -j NOTRACK\u00a0\r\n-A OUTPUT -p tcp -m tcp --sport 21 -j NOTRACK\u00a0\r\n-A OUTPUT -p tcp -m tcp --sport 11211 -j NOTRACK\u00a0\r\n-A OUTPUT -p tcp -m tcp --sport 60000:60100 -j NOTRACK\u00a0\r\n-A OUTPUT -p tcp -s 192.168.10.1 -j NOTRACK\u00a0\r\nCOMMIT\u00a0\r\n*filter\u00a0\r\n# \u5141\u8bb8ping\u00a0\r\n-A INPUT -p icmp -j ACCEPT\u00a0\r\n# \u5bf9\u672c\u5730\u56de\u8def\u3001\u7b2c5\u5f20\u7f51\u5361\u653e\u884c\u00a0\r\n-A INPUT -i lo -j ACCEPT\u00a0\r\n-A INPUT -i eth4 -j ACCEPT\u00a0\r\n# \u8fde\u63a5\u72b6\u6001\u8ddf\u8e2a\uff0c\u5df2\u5efa\u7acb\u7684\u8fde\u63a5\u5141\u8bb8\u4f20\u8f93\u6570\u636e\u00a0\r\n-A INPUT -m state --state ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT\u00a0\r\n# filter\u8868\u91cc\u5b58\u5728\u4f46\u5728raw\u91cc\u4e0d\u5b58\u5728\u7684\uff0c\u9ed8\u8ba4\u4f1a\u8fdb\u884c\u8fde\u63a5\u72b6\u6001\u8ddf\u8e2a\u00a0\r\n-A INPUT -s 192.168.10.31 -p tcp --dport 2669 -j ACCEPT\u00a0\r\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\u00a0\r\n-A FORWARD -j REJECT --reject-with icmp-host-prohibited\u00a0\r\nCOMMIT\r\n<\/pre>\n<\/div>\n
\u6216\u8005\u5e72\u8106\u5bf9\u6240\u6709\u8fde\u63a5\u90fd\u5173\u95ed\u8ddf\u8e2a\uff0c\u4e0d\u8ddf\u8e2a\u4efb\u4f55\u8fde\u63a5\u72b6\u6001\u3002\u4e0d\u8fc7\u89c4\u5219\u5c31\u9650\u5236\u6bd4\u8f83\u4e25\u8c28\uff0c\u8fdb\u51fa\u90fd\u9700\u8981\u663e\u5f0f\u7533\u660e\u3002\u793a\u4f8b \/etc\/sysconfig\/iptables \uff1a<\/p>\n
\n
*raw\r\n# \u5bf9TCP\/UDP\u8fde\u63a5\u4e0d\u542f\u7528\u8ffd\u8e2a\uff0c\u89e3\u51b3nf_contrack\u6ee1\u5bfc\u81f4\u65e0\u6cd5\u8fde\u63a5\u7684\u95ee\u9898\r\n-A PREROUTING -p tcp -j NOTRACK\r\n-A PREROUTING -p udp -j NOTRACK\r\n-A OUTPUT -p tcp -j NOTRACK\r\n-A OUTPUT -p udp -j NOTRACK\r\nCOMMIT\r\n*filter\r\n# \u5141\u8bb8ping\r\n-A INPUT -p icmp -j ACCEPT\r\n# \u5bf9\u672c\u5730\u56de\u8def\u548ceth1\u653e\u884c\r\n-A INPUT -i lo -j ACCEPT\r\n-A INPUT -i eth1 -j ACCEPT\r\n# \u53ea\u5141\u8bb8\u7b26\u5408\u6761\u4ef6\u7684\u8fde\u63a5\u8fdb\u884c\u4f20\u8f93\u6570\u636e\r\n-A INPUT -p tcp --dport 22 -j ACCEPT\r\n-A INPUT -p tcp --sport 80 -j ACCEPT\r\n-A INPUT -p udp --sport 53 -j ACCEPT\r\n-A INPUT -p udp --sport 123 -j ACCEPT\r\n# \u51fa\u53bb\u7684\u5305\u90fd\u4e0d\u9650\u5236\r\n-A OUTPUT -p tcp -j ACCEPT\r\n-A OUTPUT -p udp -j ACCEPT\r\n# \u8f93\u5165\u548c\u8f6c\u53d1\u7684\u5305\u4e0d\u7b26\u5408\u89c4\u5219\u7684\u5168\u62e6\u622a\r\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\r\n-A FORWARD -j REJECT --reject-with icmp-host-prohibited\r\nCOMMIT\r\n<\/pre>\n<\/div>\n
\u6548\u679c\u5982\u4e0b\u56fe\uff1a<\/p>\n
\"\"<\/a><\/p>\n
\u56db\u3001\u5220\u9664\u8fde\u63a5\u8ddf\u8e2a\u6a21\u5757`lsmod | grep nf_conntrack`\uff0c\u4e0d\u4f7f\u7528\u8fde\u63a5\u72b6\u6001\u7684\u8ddf\u8e2a\u529f\u80fd\u3002<\/p>\n
1\u3001\u5220\u9664nf_conntrack\u548c\u76f8\u5173\u7684\u4f9d\u8d56\u6a21\u5757\uff0c\u793a\u4f8b\uff1a<\/p>\n
\n
rmmod nf_conntrack_ipv4\u00a0\r\nrmmod nf_conntrack_ipv6\u00a0\r\nrmmod xt_state\u00a0\r\nrmmod xt_CT\u00a0\r\nrmmod xt_conntrack\u00a0\r\nrmmod iptable_nat\u00a0\r\nrmmod ipt_REDIRECT\u00a0\r\nrmmod nf_nat\u00a0\r\nrmmod nf_conntrack\r\n<\/pre>\n<\/div>\n
2\u3001\u7981\u7528\u8ddf\u8e2a\u6a21\u5757\uff0c\u628a\u5b83\u52a0\u5230\u9ed1\u540d\u5355\uff08\/etc\/modprobe.d\/blacklist.conf \uff09\uff1a<\/p>\n
\n
# \u7981\u7528 nf_conntrack \u6a21\u5757\u00a0\r\nblacklist nf_conntrack\u00a0\r\nblacklist nf_conntrack_ipv6\u00a0\r\nblacklist xt_conntrack\u00a0\r\nblacklist nf_conntrack_ftp\u00a0\r\nblacklist xt_state\u00a0\r\nblacklist iptable_nat\u00a0\r\nblacklist ipt_REDIRECT\u00a0\r\nblacklist nf_nat\u00a0\r\nblacklist nf_conntrack_ipv4\r\n<\/pre>\n<\/div>\n
3\u3001\u53bb\u6389\u9632\u706b\u5899\u91cc\u6240\u6709\u548c\u72b6\u6001\u76f8\u5173\u7684\u914d\u7f6e\uff08\u6bd4\u5982state\u72b6\u6001\uff0cNAT\u529f\u80fd\uff09\uff0c\u793a\u4f8b\uff1a<\/p>\n
\n
*filter\u00a0\r\n# \u5141\u8bb8ping\u00a0\r\n-A INPUT -p icmp -j ACCEPT\u00a0\r\n# \u5bf9\u672c\u5730\u56de\u8def\u548c\u7b2c2\u5f20\u7f51\u5361\u653e\u884c\u00a0\r\n-A INPUT -i lo -j ACCEPT\u00a0\r\n-A INPUT -i eth1 -j ACCEPT\u00a0\r\n# \u5bf9\u7aef\u53e3\u653e\u884c\u00a0\r\n-A INPUT -p tcp --dport 1331 -j ACCEPT\u00a0\r\n# \u5bf9IP\u653e\u884c\u00a0\r\n-A INPUT -s 192.168.10.31 -j ACCEPT\r\n\u00a0\r\n#\u5141\u8bb8\u672c\u673a\u8fdb\u884cDNS\u67e5\u8be2\r\n\u00a0\r\n-A INPUT -p udp --sport 53 -j ACCEPT\r\n-A OUTPUT -p udp -j ACCEPT\r\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\u00a0\r\n-A FORWARD -j REJECT --reject-with icmp-host-prohibited\u00a0\r\nCOMMIT<\/pre>\n<\/div>\n
\u53e6\u5916\uff0c\u9632\u706b\u5899\u7684\u914d\u7f6e\u6587\u4ef6\u6700\u597d\u4e5f\u6539\u4e0b\uff0c\u4e0d\u8981\u52a0\u8f7d\u4efb\u4f55\u989d\u5916\u6a21\u5757\uff08\/etc\/sysconfig\/iptables-config\uff09\uff1a<\/p>\n
\n
IPTABLES_MODULES="" # \u4e0d\u9700\u8981\u4efb\u4f55\u9644\u52a0\u6a21\u5757\r\nIPTABLES_MODULES_UNLOAD="no" # \u907f\u514diptables\u91cd\u542f\u540esysctl\u4e2d\u5bf9\u5e94\u7684\u53c2\u6570\u88ab\u91cd\u7f6e\u4e3a\u7cfb\u7edf\u9ed8\u8ba4\u503c\r\nIPTABLES_SAVE_ON_STOP="no"\r\nIPTABLES_SAVE_ON_RESTART="no"\r\nIPTABLES_SAVE_COUNTER="no"\r\nIPTABLES_STATUS_NUMERIC="yes"\r\nIPTABLES_STATUS_VERBOSE="no"\r\nIPTABLES_STATUS_LINENUMBERS="no"\r\n<\/pre>\n<\/div>\n
\u5f80\u5f80\u6211\u4eec\u5bf9\u8fde\u63a5\u7684\u8ddf\u8e2a\u90fd\u662f\u57fa\u4e8e\u64cd\u4f5c\u7cfb\u7edf\u7684\uff08netstat \/ ss \uff09\uff0c\u9632\u706b\u5899\u7684\u8fde\u63a5\u72b6\u6001\u5b8c\u5168\u662f\u5b83\u81ea\u8eab\u5b9e\u73b0\u4ea7\u751f\u7684\u3002<\/p>\n
\u603b\u7ed3\uff1a\u9632\u706b\u5899\u6709\u6761\u4ef6\u8fd8\u662f\u4ea4\u7ed9\u4e0a\u5c42\u8bbe\u5907\u5b8c\u6210\u4f1a\u66f4\u597d\uff0c\u4f7f\u7528\u9632\u706b\u5899\u4e00\u5b9a\u8981\u505a\u8c03\u4f18\uff1b\u5982\u679c\u4e0d\u9700\u8981\u9632\u706b\u5899\u7684\u8ddf\u8e2a\u529f\u80fd\uff0c\u89c4\u5219\u7b80\u5355\u7684\u53ef\u4ee5\u5f00\u542fNOTRACK\u9009\u9879\uff0c\u6761\u4ef6\u5141\u8bb8\u7684\u60c5\u51b5\u4e0b\u5c31\u5220\u9664\u5b83\u5427\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
\u539f\u6587\u51fa\u5904\uff1ahttp:\/\/my.oschina.net\/kisops\/blog\/1 …<\/p>\n
\u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,82],"tags":[],"class_list":["post-652","post","type-post","status-publish","format-standard","hentry","category-linux","category-82"],"_links":{"self":[{"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/posts\/652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=652"}],"version-history":[{"count":1,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/posts\/652\/revisions"}],"predecessor-version":[{"id":653,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/posts\/652\/revisions\/653"}],"wp:attachment":[{"href":"https:\/\/www.sulabs.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}