Hello, The kernel of my DNS server is dropping packets: kernel: [48074703.302657] nf_conntrack: table full, dropping packet. I've followed this knowledge base article: https://kb.isc.org/docs/aa-01183 for configuring iptables to not track the connections of DNS packets. ...but it is still dropping packets due to the CT. I know I could bump the conntrack memory, but I'd still like to know why my iptables rules aren't sufficient for not dropping DNS packets. I'm running Linux 3.2.0-4-amd64 Here are my iptables rules: # iptables -vnL -t raw Chain PREROUTING (policy ACCEPT 24M packets, 2112M bytes) pkts bytes target prot opt in out source destination 16M 1153M CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 CT notrack 3723K 701M CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CT notrack Chain OUTPUT (policy ACCEPT 24M packets, 5436M bytes) pkts bytes target prot opt in out source destination 3760K 327M CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 CT notrack 16M 4680M CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 CT notrack # iptables -vnL Chain INPUT (policy DROP 45173 packets, 2842K bytes) pkts bytes target prot opt in out source destination 23M 2065M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,UNTRACKED 11 804 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 284 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 709K 37M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 24M packets, 5439M bytes) pkts bytes target prot opt in out source destination Any ideas what I'm missing? Thanks for the help! -m
