Help with IPTables

From: Marcus Herou <marcus.herou#tailsweep.com>
Date: Mon, 29 Sep 2008 19:40:51 +0200


Hi.

The lb service is flapping as hell and I think it can have something to do with iptables and conntrack.

I have lots and lots of these in the syslog.

Sep 29 19:39:10 mapreduce1 kernel: [4256497.364051] printk: 1323 messages suppressed.
Sep 29 19:39:10 mapreduce1 kernel: [4256497.364055] nf_conntrack: table full, dropping packet.
Sep 29 19:39:14 mapreduce1 kernel: [4256501.908943] iptables denied: IN=eth1 OUT= MAC=00:30:48:67:2c:39:00:d0:01:9f:20:00:08:00 SRC=79.102.133.200 DST= 79.136.112.194 LEN=64 TOS=0x00 PREC=0x00 TTL=119 ID=42809 DF PROTO=TCP SPT=2093 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

sysctl -a|grep conntrack
error: permission denied on key 'kernel.sched_nr_migrate' error: permission denied on key 'net.ipv4.route.flush' 

net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
error: permission denied on key 'net.ipv6.route.flush' 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_tcp_loose = 1
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_count = 65535
net.ipv4.netfilter.ip_conntrack_buckets = 16384
net.ipv4.netfilter.ip_conntrack_checksum = 1
net.ipv4.netfilter.ip_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_max = 65536
net.netfilter.nf_conntrack_count = 65536
net.netfilter.nf_conntrack_buckets = 16384
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_expect_max = 256
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.nf_conntrack_max = 65536

Anyone ?

Kindly

//Marcus 

-- 
Marcus Herou CTO and co-founder Tailsweep AB
+46702561312
marcus.herou#tailsweep.com
http://www.tailsweep.com/
http://blogg.tailsweep.com/
Received on 2008/09/29 19:40

This archive was generated by hypermail 2.2.0 : 2008/09/29 19:46 CEST