Tuning nf_conntrack

In this article I will give an example of optimizing the parameters of nf_conntrack for a high-loaded NAT server.

First, we will look at the current and maximum number of monitored connections (the maximum is usually 524288):

/sbin/sysctl net.netfilter.nf_conntrack_count
/sbin/sysctl net.netfilter.nf_conntrack_max

Increase the maximum value and hashsize (I usually have hashsize=nf_conntrack_max/8):

/sbin/sysctl -w net.netfilter.nf_conntrack_max=4194304
echo 524288 > /sys/module/nf_conntrack/parameters/hashsize

To prevent the change from being reset after a system restart, specify in /etc/sysctl.conf:

net.netfilter.nf_conntrack_max = 4194304

And also hashsize in /etc/rc.local:

echo 524288 > /sys/module/nf_conntrack/parameters/hashsize

Now let’s see the current timeout values:

sysctl -a | grep conntrack | grep timeout

The default values are usually:

net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000 # 5days
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180

On high-load servers, it is desirable to slightly reduce the timeout values, especially during DDOS attacks, or disable nf_conntrack if it is not needed and the server is not used for NAT, for example, change some timeout to such values (I left the uncommented lines unchanged):

net.netfilter.nf_conntrack_generic_timeout=60
net.netfilter.nf_conntrack_icmp_timeout=10
#net.netfilter.nf_conntrack_tcp_timeout_close=10
net.netfilter.nf_conntrack_tcp_timeout_close_wait=20
net.netfilter.nf_conntrack_tcp_timeout_established=1800
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30
#net.netfilter.nf_conntrack_tcp_timeout_last_ack=30
#net.netfilter.nf_conntrack_tcp_timeout_max_retrans=300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv=30
net.netfilter.nf_conntrack_tcp_timeout_syn_sent=60
net.netfilter.nf_conntrack_tcp_timeout_time_wait=60
#net.netfilter.nf_conntrack_tcp_timeout_unacknowledged=300
#net.netfilter.nf_conntrack_udp_timeout=30
net.netfilter.nf_conntrack_udp_timeout_stream=60

See also my articles:
Monitoring nf_conntrack in Zabbix
How to fix the error “nf_conntrack: table full, dropping package”
How to detect DDOS attacks
The script against DDOS attacks

Did my article help you? How about buying me a cup of coffee as an encouragement? Buy me a coffe.

Leave a comment

Leave a Reply