Hi all, We are currently using iptables 1.2.5 and kernel 2.4.18 to do filtering and NAT. There are about 800 hosts behind the firewall, and we are in the process of moving them into private ip space (10.x.x.x) so not all the 800 are NAT candidates, only about 400 so far. The rest still have their global ip addresses. Users are starting to report that when their machine is moved to 10. space, they experience network hangups when accessing offsite servers (mainly web/ftp but also ssh) and I'd like your advice where I should start looking. The firewall box is a 1GHz AMD with 128MBytes mem, and /proc/sys/net/ipv4/ip_conntrack_max is currently set to 8184. How can I track how close I get to this limit? What is the memory use per conntrack entry? Is there anything particular about NAT entries in the conntrack tables that would make NAT'd hosts more prone to net hangups that unNAT'd ones? If I raise my ip_conntrack_max value, am I likely to crash the firewall if I raise it too high? What is the theoretical maximum number of conntrack entries? What is the theoretical maximum number of NAT connections? (this would seem to me to be 65536 - the maximum number of ports available on a single host, i.e. the NAT box since it has to map a source host:hostport into a NAT:natport) Sorry for all the questions, but I'm starting to get worried that we may have bitten off more than we can chew here... TIA, Terry.
