Hello Igor, Am 16.05.2017 um 13:44 schrieb i.chudov@xxxxxxxxxxxx: > Hello all! > > I'm working for a small ISP and we have a questionable situation here. > Hope anybody will be able to help us. > > We have a machine (one white IPv4) which does IPv4 masquerading for > clients in 192.168.0.0/16 subnetworks. Recently we noticed a growth of > /proc/net/nf_conntrack NAT translations table from about 5k lines to 40k > lines (30k translations to 1e100.net, port 5228). Okay, let the Google spy > users, fine but the situation has raised the following questions: > > # grep ESTABLISHED /proc/net/nf_conntrack | wc -l > 29560 > # sysctl net.ipv4.ip_local_port_range > net.ipv4.ip_local_port_range = 32768 61000 > # bc > 61000-32768 > 28232 > # sysctl net.netfilter.nf_conntrack_max > net.netfilter.nf_conntrack_max = 65536 > > 1) How is that possible that number of ESTABLISHED connections is greater > than ephemeral post range? You're probably connectiong to more than one host and one service on the internet? ;-) See http://stackoverflow.com/questions/2332741/what-is-the-theoretical-maximum-number-of-open-tcp-connections-that-a-modern-lin > 2) Is net.ipv4.ip_local_port_range used for NAT translations? Yes, and you can extend it. Some other thoughts on your situation: if you raise nf_conntrack_max, you should probably also tweak the hashsize module parameter for nf_conntrack so that your conntrack hashtable is big enough. Otherwise you end up with lots of collisions in the conntrack hashtable. You should also investigate whether those connections listed as "ESTABLISHED" have been created by misconfigured firewalls. They'll show up as "ESTABLISHED/UNREPLIED" in "conntrack -L". HTH, Thomas MfG, i.A. Thomas Bätzler -- BRINGE Informationstechnik GmbH Zur Seeplatte 12 D-76228 Karlsruhe Germany Fon: +49 721 94246-0 Fon: +49 171 5438457 Fax: +49 721 94246-66 Web: http://www.bringe.de/ Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe Ust.Id: DE812936645, HRB 108943 Mannheim -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
