Dňa 29. októbra 2024 15:11:34 UTC používateľ Matt Zagrabelny <mzagrabe@xxxxxxxxx> napísal: >...but it is still dropping packets due to the CT. You have first to inspect what is filling your conntrack table: conntrack -L Then you have to decide, if you have to add more notrack rules, or you are under eg. SYN flood or so... IMO you forget that DNS can use TCP too (not mentioned in that article"s rules). Do not forget, that "lo" traffic can create (a lot of) conntrack entries too. >I'm running Linux 3.2.0-4-amd64 IMO quite old, AFAIK modern kernels can do better with SYN floods (via better SYN cookies approach), if that is source of your problems. regards -- Slavko https://www.slavino.sk/