that below is from our public firewall for a /24 company newtork hosting
email and websites (besides the usual internal stuff)
current memory usage: 231 MB
the defaults are for single nodes with no real network traffic to avoi
duseless memory allocation on your notebook out-of-he-box i would say
Am 18.06.23 um 16:34 schrieb public1020:
The system is IPv4 and intranet only, suppose I'm going to increase the hash size,
1. What is the potentially maximum size needed?
2. How much kernel memory is needed accordingly?
------- Original Message -------
On Sunday, June 18th, 2023 at 5:14 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
Am 17.06.23 um 05:22 schrieb public1020:
I have a simple nat configuration to forward certain access to a gateway:
iptables -t nat -A PREROUTING -p tcp -m set --match-set http_port dst,dst -j DNAT --to-destination XXX:80
iptables -t nat -A POSTROUTING -j MASQUERADE
Can I do that without nat? Just trying to avoid the "conntrack table full" issue.
Is there a non-stateful solution?
conntrack don't depend on NAT at all but nearly any useful setup depends
on conntrack
i can't think of a useful ruleset without RELATED,ESTABLISHED rules and
ctstate is conntrack
in other words: without explicit "CT notrack" in the RAW-table there is
always conntrack
fix your config instead trying to work aorund it
[root@firewall:~]$ cat /etc/modprobe.d/iptables-conntrack.conf
options nf_conntrack hashsize=524288 expect_hashsize=2048
