[Firehol-support] Disable ip_conntrack table

Carlos Rodrigues carlos.efr at mail.telepac.pt
Sat Dec 15 13:53:28 GMT 2007 

On Dec 14, 2007 8:47 PM, Costa Tsaousis <costa at tsaousis.gr> wrote:
>
> Sim wrote:
> > Hi!
> > I have this simple config with 2 ethernet.
> > There isn't NAT from eth0 to eth1 and from eth1 to eth0, or rules from
> > two ethernet, but my ip_conntrack show this:
> >
> > # cat /proc/net/ip_conntrack | wc -l
> > 18222
> >
> >
> > I'm afraid for future! Can I disable policy from two ethernet and use
> > my linux box as router without limits and with security only for
> > service over it?
> >
> > Thanks!
> > Sim
> >
> > ################################################################
> > interface eth0 wan
> >
> >         # The default policy is DROP. You can be more polite with REJECT.
> >         policy drop
> >
> >         protection strong
> >
> >         # Here are the services listening on bond0.
> >         server ping accept
> >         server "http" accept src "x.x.x.x."
> >
> >         # The following means that this machine can REQUEST anything via bond0.
> >         client all accept
> >
> >
> > interface eth1 lan
> >
> >         # The default policy is DROP. You can be more polite with REJECT.
> >         policy drop
> >
> >         # > protection strong
> >
> >         # Here are the services listening on bond1.
> >         server ping accept
> >         server http accept
> >         server "ssh" accept src "x.y.x.y"
> >
> >         # The following means that this machine can REQUEST anything via bond1.
> >         client all accept
> >
> > ############################################################################################
> >
> > router wan2lan inface eth0 outface eth1
> >
> >         route all accept
> >
> >
> > router lan2wan inface eth1 outface eth0
> >
> >         route all accept
> >
> Sim,
>
> /proc/net/ip_conntrack shows all the connections registered in the
> iptables connection tracker. Depending on the services you offer, the
> number of 18.000 entries in that list may be too small or too big.
>
> You can increase the upper limit by running:
>
> sysctl -w net.nf_conntrack_max=1048576

To avoid a performance hit, you should also increase the number of
hash buckets when you increase the number of maximum tracked
connections.

In Debian I create a file in the /etc/modprobe.d directory with this:

options ip_conntrack hashsize=65536
install ip_conntrack /sbin/modprobe --ignore-install ip_conntrack;
sysctl -q -w net/ipv4/netfilter/ip_conntrack_max=65536

This sets the same number of buckets as the maximum number of
connections for maximum performance, but you can have the maximum
number be twice the number of buckets and still see no significant
performance degradation.

Just remember that increasing the number of buckets increases the
fixed amount of memory used by the ip_conntrack module (the above
setting eats up about 16Mb).

If (after a reboot/reload of ip_conntrack) you still see the default
value in /proc/sys/net/ipv4/netfilter/ip_conntrack_buckts, you may
need to forcibly load the module before FireHOL starts (in Debian I do
this by putting "ip_conntrack" in /etc/modules). I had to do this
once, but I don't think it is needed anymore, but I'm not sure.

-- 
Carlos Rodrigues

More information about the Firehol-support mailing list