Iptable ip_conntrack table set-up and tunning for high load UDP traffic

If you run a busy DNS server or any other service that uses a lot of UDP traffic, it’s possible that your default Iptable conntrack sessions (connection tracking entries in kernel memory) settings are too low and netfilter is unable to track all your sessions.

The error is usually something like this:

Sep 20 11:53:44 hostname01 kernel: ip_conntrack: table full, dropping packet.

You need to tune sysctl net.ipv4.ip_conntrack_max value, let’s say increase it twice or more times and see if you still get the error messages on the console or syslog.

Depending on your OS, the formula for calculating the maximum number of conntrack sessions your box can handle is as follows:

The size of each session record really depends on the kernel config and many other compile options. For 2.6.* kernels it is around 300 bytes.

You can also easily check out the current usage of connection tracking

wc -l /proc/net/ip_conntrack

Default sysctl settings for Red Hat Enterprise boxes, possible the same applies for Fedora and Centos.

net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
net.ipv4.netfilter.ip_conntrack_tcp_loose = 3
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_log_invalid = 0
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_checksum = 1
net.ipv4.netfilter.ip_conntrack_buckets = 8192
net.ipv4.netfilter.ip_conntrack_count = 18988
net.ipv4.netfilter.ip_conntrack_max = 34576

You can decrease the net.ipv4.netfilter.ip_conntrack_tcp_timeout_established, by half, at least.

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=216000

I hope this helps you with your Linux server network stack tunning. Good luck!


  1. Linux says:

    300 bytes per connection would be something like

    100 connections = 30,000 bytes 29.29Kbytes
    10,000 connections = 2900Kbytes or around 2.8MB

Leave a Reply