The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

nf_conntrack: table full, dropping packet

Discussion in 'Security' started by crshep, Jan 7, 2015.

  1. crshep

    crshep Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    What is this and how do I stop it? It is really messing with the vps. This is only part of it my logs have tones of these lines. For the past few days

    Code:
    Jan  7 14:06:46 server1 kernel: __ratelimit: 3573 callbacks suppressed
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:46 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: __ratelimit: 3245 callbacks suppressed
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:52 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: __ratelimit: 3260 callbacks suppressed
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.
    Jan  7 14:06:57 server1 kernel: nf_conntrack: table full, dropping packet.


    Thanks
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I think there is a DDOS attack on your server and your iptables connection_table is full. You will have to increase it with the following command.

    Code:
    sysctl -w net.netfilter.nf_conntrack_max=141072
     
  3. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    The above error shows that connection tracking table is full. There are no security implications on server. You can increase the value in kernel modules by using below command:

    sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=55000
    sysctl -w net.netfilter.nf_conntrack_generic_timeout=60
    sysctl -w net.ipv4.netfilter.ip_conntrack_max=<more than currently set>

    Also, install csf firewall or any DDOS application to prevent server from attack.
     
  4. crshep

    crshep Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    Thanks I'll look into changing the size but CSF is installed on the server I guess I should have stated that in my post sorry.
     
Loading...

Share This Page