Now, commenting on this message: I actually didn't know that the
conntrack table had a limit. Learning something every day. I will
check its value on Monday, during peak time.
Another thought: if the ACKs that are being blocked are for some
reason malformed, wouldn't they be blocked as well by the last rule?
> One other thought to this, if I were to presume the ${variables} and ...ip's then I would presume that the RELATED rules should allow these ack's to go through. The only reason I know of for them not do (again, assuming all the addressing is really ok) would be that the conntrack table has filled up.
>
> To see the maximum connnections that can be tracked:
>
> # cat /proc/sys/net/ipv4/ip_conntrack_max
> 32760
>
> To see how many you are using at a given moment
>
> # wc -l /proc/net/ip_conntrack
> 16 /proc/net/ip_conntrack
>
>
> This from my house and there really isn't all that much going on, I would expect far larger counts, you may need to up ip_conntrack_max. This really out in the SWAG arena because I can't see the details of your installation.
>
>
