系统日志/var/log/messages出现以下内容
Jan
31
16
:
46
:
41
ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.
Jan
31
16
:
46
:
41
ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.
Jan
31
16
:
46
:
41
ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.
Jan
31
16
:
46
:
41
ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.
Jan
31
16
:
46
:
41
ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.
执行命令,检查系统参数,发现nf_conntrack_max设置过少
sysctl -a|grep nf_conntrack_max
net.netfilter.nf_conntrack_max =
65536
net.nf_conntrack_max =
65536
需要编辑/etc/sysctl.conf,添加以下内容
net.nf_conntrack_max =
25000000
net.netfilter.nf_conntrack_max =
25000000
net.netfilter.ip_conntrack_tcp_timeout_established =
3600
net.netfilter.nf_conntrack_tcp_timeout_close_wait =
60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait =
120
net.netfilter.nf_conntrack_tcp_timeout_time_wait =
120
#以下是可选配置
#net.ipv4.tcp_tw_reuse =
1
#net.ipv4.tcp_tw_recycle =
1
#net.ipv4.tcp_timestamps =
1
#net.ipv4.tcp_syncookies =
1
添加完成后,执行命令 sysctl -p
未生效情况
当重启防火墙后,/etc/sysctl.conf设置会失效
如发现 sysctl -a|grep nf_conntrack_max 显示的值与/etc/sysctl.conf配置不一致,则说明重启iptable后,未执行命令sysctl -p,这种情况下,只需执行sysctl -p,不需要修改/etc/sysctl.conf
#解决重启iptables 不加载sysctl -p
sed -i "s/#IPTABLES_SYSCTL_LOAD_LIST/IPTABLES_SYSCTL_LOAD_LIST/g" /etc/sysconfig/iptables-config
转载于:https://blog.51cto.com/xficc/1812428