8 Bit Pipe

Recently, I encountered a server with intermittent connection problems. looking in /var/log/messages, I found scrolling lines of the following message:

ip_conntrack: table full, dropping packet

A quick google search revealed that the server keeps track of connections through a kernel module called ‘ip_conntrack’. Basically, this module keeps track of the number of connections and if there are too many, starts droppong connection attempts afterwards. If you manage to get onto the console of your box. You can check to see if the table is full by running the following:

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
8192

Next check to see what the maximum number of connections is set to by running the following:

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
8192

ip_conntrack_max is set to the total MB of RAM installed multiplied by 16. So looking at this example, we only have 512M of memory. To fix this issue, you merely have to raise the limit. You can raise the limit with the following command:

# sysctl net.ipv4.netfilter.ip_conntrack_max=65535

Of course, if you reboot the system, the max will be reset to what you had it. In order to make it permanent you will need to add it to /etc/sysctl.conf.

Further reading:

• What is ip_conntrack?
• What does the message ‘ip_conntrack: table full, dropping packet.’ in my system’s messages log file mean?
• Racker Hacker: ip_conntrack: table full, dropping packet

If you are using SSH then you will sooner or later notice someone trying to hack into your box using dictionary attacks. You can use the iptables module recent to limit a minimum time between new connections from the same IP.

To make this work, you should have this commonly used rule (this allows previously established connections and is a normal rule in most firewalls):

iptables -A INPUT -j ACCEPT -p tcp ! –syn -s 0/0 -d (outer ip/net)

Now, to set the limit

iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –update –seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –set -j ACCEPT

These two rules makes iptables require 15 seconds between new connections from the same IP on port 22 (the SSH port). Use ACCEPT instead if you are using a firewall that has it’s own rule for accepting ssh.

Another way of limiting dictionary attacks is to limit using -m limit –limit like this:

iptables -A INPUT -p tcp –dport ssh -m limit –limit 3/minute –limit-burst 2 -j ACCEPT

This rule does the trick of setting a limit of 3 connectoins pr minute, but the first two connections will
exhaust the limit-burst, so the rule effectively limits the connection attempt rate to 1/minute.

One final example:

iptables -A INPUT -p tcp -m tcp –dport 22 -m recent –update –seconds 60 –hitcount 5 –rttl –name SSH –rsource -j DROP

http://en.linuxreviews.org/Iptables_tips_and_tricks