| |
| |
| |
|
Comments:
<0> gug
<1> gug
<2> hello anyone already awake? :)
<3> =)
<2> i've mayby a stupid question, but i can't really find it in iptables man page immedialty
<1> ask and maybe someone knows the answer
<2> got here from a description: iptables -A INPUT -p tcp -m tcp --dport 22 -J somechain
<2> what does the -m do?
<2> -m tcp *
<2> i know -m state and -m tos and so on :/
<1> -m tcp is the same as -p tcp
<2> so basicly its not needed in the above?
<1> no it isn't
<1> but iptables-save outputs it in that way
<2> ah ok :)
<2> was just wondering :)
<2> cause i like to know what i feed my firewall :p
<1> :)
<4> exit
<5> anyone know a good way to fix problems with conntrack filling up?
<5> i have a linux based natbox thats just getting slaughtered the last few weeks and am trying to fight off a movement to replace it as a result
<5> Mar 6 22:24:25 resnet-core kernel: ip_conntrack: table full, dropping packet.
<5> its a 3.2ghz xeon HT with dual gig fiber nics pushing about 30-55Mb/sec of traffic
<6> macjunkie: yeah you can up the limit... looking ...
<5> cat /proc/sys/net/ipv4/ip_conntrack_max
<5> 65536
<6> macjunkie: you really have 65536 connections to track? That's -alot-.
<5> yea have about 2500 users behind it
<5> i had already upped it once from the default
<7> macjunkie: if you have 2.6.14+, you can use conntrack userspace too to remove entries, but I don't know if that would help at all
<5> yea i have 2.6.14 right now
<7> there's really that many connections? could you decrease timeouts to lower the number?
<6> macjunkie: you can up it more but I would be investigating why you have so many connections to track. I would be suspicious of misconfiguration elsewhere in the network.
<5> yeah its doing nat for our reshall users and a 1200 user cablemodem network
<5> yeah i'mm curious too
<5> theres a packetshaper behind it on the inside of the net
<5> thats limiting p2p and other fun crap
<5> i'm doing flows off that
<5> and seeing the majority of our traffic being cl***'d at http
<5> er as
<6> macjunkie: We had a similar issue where a cisco pix was barfing over too many connections, it turned out to be a hack windows box that was flooding connections.
<5> yeah wouldn't surprise me if we had a few of those since like i said we have 2,500 students behind that box
<6> The idea of 'lots of bittorent' running strikes me. I like danieldb's idea of decreasing the timeout.
<5> yeah sounds reasonable
<6> Have you dumped the conntrack table to see what the heck they all are?
<5> nope <dumb question> how would I do that?
<7> cat /proc/net/ip_conntrack iirc
<6> cat /proc/net/ip_conntrack
<6> Yeah, like he said :)
<6> Hows your perl skills :) 65535 is a lot of lines of text to 'look at' :)
<5> my co-worker owns me at perl :)
<5> looks like a lot of netbios crap
<5> tcp 6 94 SYN_SENT src=10.11.7.114 dst=10.0.49.180 sport=3285 dport=135 packets=33 bytes=1584 [UNREPLIED] src=10.0.49.180 dst=10.11.7.114 sport=135 dport=3285 packets=0 bytes=0 mark=0 use=1
<6> Hmm, and you probably don't care to forward netbois anyway eh?
<5> and yeah a ton of unreplied packets
<5> no
<7> if you don't need to forward that, drop it in the raw table
<5> in fact i thought i was blocking it on our packetshaper
<5> majority of stuff is unreplied packets
<5> so yea sounds like the timeout would probably make it much happier
<6> so dropping the timeout would help as well.
<5> so i really have to recompile ip_conntrack to set that?
<5> just did a google search on setting it
<7> I think there's a setting in /proc/sys somewhere
<5> yea looks like it
<5> just found htis
<5> http://ipsysctl-tutorial.frozentux.net/chunkyhtml/netfilterreference.html
<5> ip_conntrack_udp_timeout"
<5> is set to 30
<8> can someone help me
<8> with atftpd
Return to
#netfilter
or
Go to some related
logs:
ubuntu radeon 9200 stepmania
webinfuse.com
#gentoo
dvdrtools have been masked
kubuntu dvd no sound
Cannot load /usr/local/apache/libexec/libphp5.so into server:
cannot connect to X server ubuntu
rbworspace
#perl
CDEPEND Exceptions
|
|