On Friday 10 January 2003 12:03 am, Amit Kumar Gupta wrote: > Hi List, > > I am getting a problem with iptables :- > > I have added some rules in which I check the states of the packets > which I receive i.e. whether it is NEW, ESTABLISHED or INVALID and > then do some actions. > > Now the problem which I am getting is :- (However I have already > posted a si ilar query reg this but I think this will be more > elaborative). > > As soon as somebody pings to my m/c , that fellow doesn't get the > reply and on my m/c , kernel keeps dumping certain messages which are > like this :- > > Ip_contrack: maximum limit of 1016 entries exceeded. Well, that's what's happening then. The conntrack table is filling. The real question is "why"? How many machines are connected to/through this one, how many interfaces, subnets, etc? Ping from LAN to firewall box, internet to LAN, what? Just this box on the internet? You need to elaborate still further for anyone to have much chance figuring out the source of your problem. Since the conntrack limit is being reached, try "cat /proc/net/conntrack" and see what it's filled with. (Probably 1016 entries, but are they all legitimate traffic, or what?) Conntrack is used for state and NAT both. It might help if you also included the new state rules you added, and any NAT or state rules that were already in place. j
