> Now I can see the lines "ip_conntrack : table full, dropping packet" in my > kern.log. Yes, but have you read the FAQ ? :) Guess not. You need to increase the /proc/net/ip_conntrack_max value, according to the FAQ, it gives some reasonable values depending on the RAM you have. > Does dropping packets means that it is actually dropping the packets or just > truncating the file /proc/net/ip_conntrack , does this affect my client's > connections??? Well, it means that the state mechanism has no space to insert a conntrack entry, meaning, that the --state ESTABLISHED,RELATED works only to a limited number of currently tracked connections. Depending on your setup, it may do different things, but most probably it does whatever your POLICY instructs them to do. DROP ? Most certainly. In other words, it means that the --state rule will not match on the packet. It will not get accepted by this rule. Regards, Maciej Soltysiak
