Greetings... On Tue, Oct 29, 2024 at 10:48 AM Slavko <linux@xxxxxxxxxx> wrote: > > Dňa 29. októbra 2024 15:11:34 UTC používateľ Matt Zagrabelny <mzagrabe@xxxxxxxxx> napísal: > > >...but it is still dropping packets due to the CT. > > You have first to inspect what is filling your conntrack table: > > conntrack -L I've waited a week to let the TCP streams in the conntrack table time out. I'm still seeing the kernel drop packets: # tail -f /var/log/kern.log Nov 6 11:29:02 netadm kernel: [48773744.961053] nf_conntrack: table full, dropping packet. ...and confirmed with /proc: # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count 65536 ...but there aren't that many flows in the conntrack table, and none in the expect table. # conntrack -L > /dev/null conntrack v1.2.1 (conntrack-tools): 22 flow entries have been shown. # conntrack -L expect conntrack v1.2.1 (conntrack-tools): 0 expectations have been shown. Any idea where to find what is still causing the kernel to drop packets? I still need to handle the INVALID state, but here is my current rule-set: # Generated by iptables-save v1.4.14 on Wed Nov 6 11:40:00 2024 *raw :PREROUTING ACCEPT [559078817:46637850935] :OUTPUT ACCEPT [539455981:114717831525] [311121010:22258566347] -A PREROUTING -p udp -m udp --dport 53 -j CT --notrack [82158007:15791189816] -A PREROUTING -p udp -m udp --sport 53 -j CT --notrack [160638557:7854716900] -A PREROUTING -p tcp -m tcp --dport 53 -j CT --notrack [55174:13694242] -A PREROUTING -p tcp -m tcp --sport 53 -j CT --notrack [82898530:7187312985] -A OUTPUT -p udp -m udp --dport 53 -j CT --notrack [310815684:92319143568] -A OUTPUT -p udp -m udp --sport 53 -j CT --notrack [81356:4991618] -A OUTPUT -p tcp -m tcp --dport 53 -j CT --notrack [134221259:13321766219] -A OUTPUT -p tcp -m tcp --sport 53 -j CT --notrack COMMIT # Completed on Wed Nov 6 11:40:00 2024 # Generated by iptables-save v1.4.14 on Wed Nov 6 11:40:00 2024 *nat :PREROUTING ACCEPT [2196269:120347484] :INPUT ACCEPT [1191964:55756667] :OUTPUT ACCEPT [43401:4029238] :POSTROUTING ACCEPT [43401:4029238] COMMIT # Completed on Wed Nov 6 11:40:00 2024 # Generated by iptables-save v1.4.14 on Wed Nov 6 11:40:00 2024 *mangle :PREROUTING ACCEPT [559078013:46637808723] :INPUT ACCEPT [559078013:46637808723] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [539456018:114717838594] :POSTROUTING ACCEPT [539456018:114717838594] COMMIT # Completed on Wed Nov 6 11:40:00 2024 # Generated by iptables-save v1.4.14 on Wed Nov 6 11:40:00 2024 *filter :INPUT DROP [1028561:66625259] :FORWARD DROP [0:0] :OUTPUT ACCEPT [539455943:114717822181] [555959622:46411126809] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT [158:11928] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -s 10.101.0.0/16 -p icmp -j ACCEPT [1283248:91447747] -A INPUT -s 10.212.0.0/16 -p icmp -j ACCEPT [0:0] -A INPUT -s 10.84.0.0/16 -p icmp -j ACCEPT [23101:2217696] -A INPUT -s 10.57.0.0/16 -p icmp -j ACCEPT [0:0] -A INPUT -s 10.94.0.0/16 -p icmp -j ACCEPT [0:0] -A INPUT -s 127.0.0.0/8 -p icmp -j ACCEPT [767154:60545933] -A INPUT -s 10.0.0.0/8 -p icmp -j ACCEPT [0:0] -A INPUT -s 172.16.0.0/12 -p icmp -j ACCEPT [12243:5597503] -A INPUT -s 192.168.0.0/16 -p icmp -j ACCEPT [0:0] -A INPUT -s 100.64.0.0/10 -p icmp -j ACCEPT [3:243] -A INPUT -p udp -m udp --dport 53 -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT [0:0] -A INPUT -s 10.212.109.49/32 -p tcp -m tcp --dport 8139 -j ACCEPT [3888:233280] -A INPUT -s 10.212.0.0/17 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -s 10.212.128.0/18 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -s 10.212.192.0/19 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -s 172.16.0.0/12 -p tcp -m tcp --dport 22 -j ACCEPT [8:416] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -s 100.72.0.0/15 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -s 10.94.202.160/27 -p icmp -j ACCEPT COMMIT # Completed on Wed Nov 6 11:40:00 2024 Thanks for any help! -m