TIPS NF Conntack error / iptables

[bobmats]

Centos 6.6
PBX in a flash
Incredible pbx 11 / freepbx 11

Added 3 trunks 2 extensions.
Now added 6 more trunks and 10 more extension.
fqdn has been setup for the extensions, not for the trunks, trunks seem to work fine without adding their ip's to iptables.

Problem I have now is that I got the following error message on my vps

Dec 23 20:10:03 vps48xxx kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Dec 23 20:10:03 vps48xxx kernel: nf_conntrack version 0.5.0 (6779 buckets, 27116 max)
Dec 23 20:14:01 vps48xxx kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Dec 23 20:14:01 vps48xxx kernel: nf_conntrack version 0.5.0 (6779 buckets, 27116 max)
Dec 23 20:26:04 vps48xxx kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Dec 23 20:26:04 vps4xxx kernel: nf_conntrack version 0.5.0 (6779 buckets, 27116 max)
Dec 23 20:30:40 vps4xxx kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Dec 23 20:30:40 vps4xxx kernel: nf_conntrack version 0.5.0 (6779 buckets, 27116 max)

This causes the machine alsmost to hang, freepbx does not respond.

Any idea what this could be and how it can be solved ?

 

[matthew]

You obviously have a lot of connections to the server that iptables is trying to keep track of, and you are exceeding the set limits. Interestingly, they are set lower than the defaults on a CentOS 6.5 server I have here. That your server is named vpsxxxxx indicates to me you are using a VPS, and the limit might be for a reason. You can use sysctl to raise the values of the connection tracking that iptables is using.

Edit /etc/sysctl.conf
At the bottom, add a couple of lines like
net.netfilter.nf_conntrack_max = 65536
net.netfilter.nf_conntrack_buckets = 16384
Run sysctl -p to load the new settings.

 

[bobmats]

This is what I was looking for, added it.
Only problem the buckets entry creates the following message: error: permission denied on key 'net.netfilter.nf.conntrack_buckets'

The max value did work.

connections 10 tot 12 extensions
16 trunks
I guess this are not that many extensions

Did also find info below and used that to add some more values.
hope this will work.


http://www.mwclearning.com/?p=1506

Making the changes in a persistent fashion RHEL 6 examples:
# 2: Increase number of connections
echo "net.netfilter.nf_conntrack_max = 786432">>/etc/sysctl.confecho "net.netfilter.nf_conntrack_buckets = 196608">>/etc/sysctl.conf# Increase number of bucket to change ration from 1:8 to 1:4 (more # memory use but better performance)
echo 'echo "196608" > /sys/module/nf_conntrack/parameters/hashsize'>>/etc/rc.local
# 3: Alter timeout values# Generic timeout from 10 mins to 1 min
echo "net.netfilter.nf_conntrack_generic_timeout = 60">/etc/sysctl.conf
# Change unacknowledged timeout to 30 seconds (from 10 mins)
echo "net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30">/etc/sysctl.conf
# Change established connection timeout to 1 hour (from 10 days)
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600">/etc/sysctl.conf
These changes will persist on reboot.
To apply changes without reboot run the following:
sysctl -pecho "196608">/sys/module/nf_conntrack/parameters/hashsize
To review changes:
sysctl -a | grep conntrack

http://www.mwclearning.com/?p=1506

 

[matthew]

Good to hear things are working.

This is what I was looking for, added it.
Only problem the buckets entry creates the following message: error: permission denied on key 'net.netfilter.nf.conntrack_buckets'

Not sure if you typoed it here or in your config file, but there's supposed to be an underscore in nf_conntrack.