Re: iptables starts blocking outbound http traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi,

On Thu, Nov 6, 2008 at 09:33, Neil Aggarwal <neil@xxxxxxxxxxxxxxxxxx> wrote:
> # Allow http connections from the outside world
> /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024: --dport
> http -m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport http --dport
> 1024: -m state --state ESTABLISHED -j ACCEPT
>
> Any ideas what is going on?

If you're using ESTABLISHED, it depends on ip_conntrack being able to
track the connections. ip_conntrack keeps a table of all connections,
but this table is limited in size, so it may be overflowing.

You can see how many entries you have in that table at any moment with
this command:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

And you can see what the maximum is set with this command:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

The default in CentOS 5 is 16k connections.

IIRC, you can increase that dinamically with echo ... >/proc/sys/...
or with sysctl. Also, I believe you can set the default after a reboot
in /etc/sysctl.conf. I think it's also possible to do that in
/etc/modprobe.conf, but I'm not sure what the syntax is anymore, and
modinfo ip_conntrack didn't give me any clues. Google should help with
that.

HTH,
Filipe
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux