Problem: ip_conntrack table full in CentOS

[[email protected] ~]# cat /var/log/messages
kernel: printk: 125 messages suppressed.
kernel: ip_conntrack: CT 0: table full, dropping packet.
kernel: printk: 99 messages suppressed.
kernel: ip_conntrack: CT 0: table full, dropping packet.
kernel: printk: 94 messages suppressed.
...
[[email protected] ~]#

#check max ip_conntrack

[[email protected] ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536
[[email protected] ~]#

or

[[email protected] ~]# sysctl net.ipv4.netfilter.ip_conntrack_max
net.ipv4.netfilter.ip_conntrack_max = 65536
[[email protected] ~]# 

#check ip_conntrack

[[email protected] ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
65536
[[email protected] ~]#

or

[[email protected] ~]# wc -l /proc/net/ip_conntrack
65536 /proc/net/ip_conntrack
[[email protected] ~]# 

Solutions: 1.Add max ip_conntrack / 2. Remove the tracking with iptables
1.add max ip_conntrack

[[email protected] ~]# sysctl -w net.ipv4.netfilter.ip_conntrack_max=131072
net.ipv4.netfilter.ip_conntrack_max = 131072
[[email protected] ~]#

or

[[email protected] ~]# sysctl -w net.ipv4.netfilter.ip_conntrack_max=131072
net.ipv4.netfilter.ip_conntrack_max = 131072
[[email protected] ~]# echo "net.ipv4.netfilter.ip_conntrack_max = 131072" >> /etc/sysctl.conf
[[email protected] ~]# /sbin/sysctl -p

*when You tried and found out that after server rebooted, ip_conntrack_max still use default value. Add the following in the /etc/rc.local file.

echo "net.ipv4.netfilter.ip_conntrack_max = 65535" >> /etc/sysctl.conf
/sbin/sysctl -w
/sbin/sysctl -p

2. remove the tracking with iptables

iptables -t raw -A PREROUTING -j NOTRACK
iptables -t raw -A OUTPUT -j NOTRACK
service iptables save

check ip_conntrack again.

share: ip_conntrack: CT 0: table full, dropping packet