nf_conntrack: table full, dropping packet

On a CentOS server, i get following error in /var/log/messages

Jan 17 03:40:02 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet

This is because the server is getting too much connections. This can be due to a busy server or DDoS attack.

if you traffic is legit, you can increase maximum connection tracking.

To see current value, run

cat /proc/sys/net/netfilter/nf_conntrack_max

To set value, run

echo 64000 > /proc/sys/net/netfilter/nf_conntrack_max

Change 64000 with your desired value.

You can also use sysctl, for example

sysctl -a | grep nf_conntrack_max

To set value, run

sysctl -w net.netfilter.nf_conntrack_max=120000

To make it permanent, edit

vi /etc/sysctl.conf

Add

net.netfilter.nf_conntrack_max=120000

Now run

sysctl -p

See sysctl

nf_conntrack: table full, dropping packet

Comments

Leave a Reply Cancel reply

More posts

Route Specific Subnet Through OpenVPN

How to stop all services on a cpanel server

Upgrade MariaDB 10.3 to 10.5 on Ubuntu 20.04

How to hide a WordPress Plugin