The ip_conntrack module, which iptables uses, uses a portion of the system memory to track connections called a connection tracking table. The size of this table is set when the ip_conntrack module is loaded, and is usually determined automatically by a hash of the installed system RAM. For example, a system with 256MB RAM will typically have a conntrack table of 8192 entries by default.
If you are seeing the message in the system's logs, "ip_conntrack: table full, dropping packet." it means that the table is full, and packets that are traversing the system's firewall are being dropped.
In order to increase the maximum value, you must install the kernel-devel package on the system, then reboot the server.
# yum install kernel-devel
# reboot
Now, check to see what the current maximum is set to.
# cat /proc/sys/net/ipv4/ip_conntrack_max
65536
You can now use echo to increase this number. Usually increasing it by double the existing value is good practice.
# echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max
Check to make sure your ip_conntrack table is getting bigger.
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
65750
Since you are inserting this into the live system, when rebooting, this will go back to the default setting. To make this a permanent change in your system, modify the /etc/sysctl.conf file, and add this value, and a comment of your choice.
# echo “net.ipv4.ip_conntrack_max = 131072” >> /etc/sysctl.conf
Some information taken from the Red Hat Knowledgebase.
You must be registered to see links