场景:
web服务器上的/var/log/messages中有如下的显示:
Jun 24 00:34:18 buf486 kernel: nf_conntrack: table full, dropping packet.
Jun 24 00:34:18 buf486 kernel: nf_conntrack: table full, dropping packet.
Jun 24 00:34:18 buf486 kernel: nf_conntrack: table full, dropping packet.
Jun 24 00:34:18 buf486 kernel: nf_conntrack: table full, dropping packet.
Jun 24 00:34:18 buf486 kernel: nf_conntrack: table full, dropping packet.
Jun 24 00:34:18 buf486 kernel: nf_conntrack: table full, dropping packet.
Jun 24 00:34:18 buf486 kernel: nf_conntrack: table full, dropping packet.
Jun 24 00:34:18 buf486 kernel: nf_conntrack: table full, dropping packet.
Jun 24 00:34:18 buf486 kernel: nf_conntrack: table full, dropping packet.
解决方法:
在/etc/sysctl.conf中添加如下两行:
#for nf_conntrack: table full, dropping packet
net.netfilter.nf_conntrack_tcp_timeout_established=600
net.netfilter.nf_conntrack_max=655360
然后执行sysctl -p 即可立即生效
这里有特别注意的两点,
1:防火墙里面是否有
A INPUT -i em1 -s *.*.*.* -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
有很类似这样的规则(就是含有-m state -m tcp),将含有的 -m state -m tcp 给删掉
2:如果重启了防火墙,
net.netfilter.nf_conntrack_max 值就会还原了,还原为系统初始的默认值,还要接着执行下sysctl -p 使其再次设置为我们调整的值,
问题即可解决!
## 尤其要注意后面这两点,技术很多时候就是细节!
阅读(1205) | 评论(0) | 转发(0) |