Phenomenon: Suddenly found that access to the website is very slow, the server's cpu, memory and disk usage are normal
Analysis process and solution: query /var/log/message log found such a record“ Ip_conntrack table full dropping packet”. The kernel uses the ip_conntrack module to record the status of the iptables network packet and save it to the table (this table is in memory). If the network is busy, such as high connection, high concurrent connection, etc., it will gradually occupy the available space of this table. Generally, this table It's not easy to fill up and can clean it up. The record of the table will stay in the table until the source IP sends a RST packet, but if there is attack, wrong network configuration, problematic routing/router, problematic When the network card is in the same situation, the RST packet sent by the source IP will not be received, so it will accumulate in the table, and the more accumulated it will be until it is full. After the full iptables will be lost, the external server cannot be connected. Case.
Solution: Iptables starts by prompting the current buckets and conntrack_max values ​​in the log and how much memory each trace connection consumes:
That is to say, 304MB memory will support 1048576 trace connection records, so you need to configure the appropriate value according to the memory size of the server.
Permanently modify ip_conntrack_max and hashsize
Increase ip_conntrack_max (set to 2^20, default is 2^16=65536)
vi /etc/sysctl.conf< Br>
net.ipv4.ip_conntrack_max = 1048576
2) Increase hashsize (HASHSIZE = CONNTRACK_MAX /8 on i386 architecture)
vi /etc/modprobe.conf
options ip_conntrack hashsize=131072
Then restart the iptables service. You can see that the parameters have been validated in the messages:
service iptables restart
                       After a long-running website program of the company, the speed is slower. Aft
                  The security software installed on the computer is still no problem for general SQ
                              First, the advantages of domain renaming tools A new feature, you mu
                  You are not authorized to view the page, the page cannot be opened; A similar si