系统日志/var/log/messages出现以下内容
Jan 31 16:46:41 ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.Jan 31 16:46:41 ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.Jan 31 16:46:41 ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.Jan 31 16:46:41 ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.Jan 31 16:46:41 ahmobileblivemedia02 kernel: nf_conntrack: table full, dropping packet.执行命令,检查系统参数,发现nf_conntrack_max设置过少
sysctl -a|grep nf_conntrack_maxnet.netfilter.nf_conntrack_max = 65536net.nf_conntrack_max = 65536需要编辑/etc/sysctl.conf,添加以下内容
net.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_max = 25000000net.netfilter.ip_conntrack_tcp_timeout_established = 3600 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120#以下是可选配置#net.ipv4.tcp_tw_reuse = 1#net.ipv4.tcp_tw_recycle = 1#net.ipv4.tcp_timestamps = 1#net.ipv4.tcp_syncookies = 1添加完成后,执行命令 sysctl -p
未生效情况
当重启防火墙后,/etc/sysctl.conf设置会失效
如发现 sysctl -a|grep nf_conntrack_max 显示的值与/etc/sysctl.conf配置不一致,则说明重启iptable后,未执行命令sysctl -p,这种情况下,只需执行sysctl -p,不需要修改/etc/sysctl.conf
本文出自 “智能化未来_XFICC” 博客,请务必保留此出处http://xficc.blog.51cto.com/1189288/1812428
原文:http://xficc.blog.51cto.com/1189288/1812428