connection dropouts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

We are currently using iptables 1.2.5 and kernel 2.4.18 to do filtering
and NAT. There are about 800 hosts behind the firewall, and we are in
the process of moving them into private ip space (10.x.x.x) so not all
the 800 are NAT candidates, only about 400 so far. The rest still have
their global ip addresses.
Users are starting to report that when their machine is moved to
10. space, they experience network hangups when accessing offsite
servers (mainly web/ftp but also ssh) and I'd like your advice 
where I should start looking. 

The firewall box is a 1GHz AMD with 128MBytes mem, and
/proc/sys/net/ipv4/ip_conntrack_max is currently set to 8184.

How can I track how close I get to this limit? 
What is the memory use per conntrack entry?
Is there anything particular about NAT entries in the conntrack
tables that would make NAT'd hosts more prone to net hangups
that unNAT'd ones?
If I raise my ip_conntrack_max value, am I likely to crash
the firewall if I raise it too high?
What is the theoretical maximum number of conntrack entries?
What is the theoretical maximum number of NAT connections?
(this would seem to me to be 65536 - the maximum number
of ports available on a single host, i.e. the NAT box
since it has to map a source host:hostport into a NAT:natport)

Sorry for all the questions, but I'm starting to get worried
that we may have bitten off more than we can chew here...

TIA,
Terry.


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux