The system is IPv4 and intranet only, suppose I'm going to increase the hash size, 1. What is the potentially maximum size needed? 2. How much kernel memory is needed accordingly? ------- Original Message ------- On Sunday, June 18th, 2023 at 5:14 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > > Am 17.06.23 um 05:22 schrieb public1020: > > > I have a simple nat configuration to forward certain access to a gateway: > > > > iptables -t nat -A PREROUTING -p tcp -m set --match-set http_port dst,dst -j DNAT --to-destination XXX:80 > > iptables -t nat -A POSTROUTING -j MASQUERADE > > > > Can I do that without nat? Just trying to avoid the "conntrack table full" issue. > > Is there a non-stateful solution? > > > conntrack don't depend on NAT at all but nearly any useful setup depends > on conntrack > > i can't think of a useful ruleset without RELATED,ESTABLISHED rules and > ctstate is conntrack > > in other words: without explicit "CT notrack" in the RAW-table there is > always conntrack > > fix your config instead trying to work aorund it > > [root@firewall:~]$ cat /etc/modprobe.d/iptables-conntrack.conf > options nf_conntrack hashsize=524288 expect_hashsize=2048