In this article I will give an example of optimizing the parameters of nf_conntrack for a high-loaded NAT server.
First, we will look at the current and maximum number of monitored connections (the maximum is usually 524288):
/sbin/sysctl net.netfilter.nf_conntrack_count
/sbin/sysctl net.netfilter.nf_conntrack_max
Increase the maximum value and hashsize (I usually have hashsize=nf_conntrack_max/8):
/sbin/sysctl -w net.netfilter.nf_conntrack_max=4194304
echo "524288" > /sys/module/nf_conntrack/parameters/hashsize
To prevent the change from being reset after a system restart, specify in /etc/sysctl.conf:
net.netfilter.nf_conntrack_max = 4194304
And also hashsize in /etc/rc.local:
echo "524288" > /sys/module/nf_conntrack/parameters/hashsize
Now let’s see the current timeout values:
sysctl -a | grep conntrack | grep timeout
The default values are usually:
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000 # 5days
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
On high-load servers, it is desirable to slightly reduce the timeout values, especially during DDOS attacks, or disable nf_conntrack if it is not needed and the server is not used for NAT, for example, change some timeout to such values (I left the uncommented lines unchanged):
net.netfilter.nf_conntrack_generic_timeout=60
net.netfilter.nf_conntrack_icmp_timeout=10
#net.netfilter.nf_conntrack_tcp_timeout_close=10
net.netfilter.nf_conntrack_tcp_timeout_close_wait=20
net.netfilter.nf_conntrack_tcp_timeout_established=600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30
#net.netfilter.nf_conntrack_tcp_timeout_last_ack=30
#net.netfilter.nf_conntrack_tcp_timeout_max_retrans=300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv=30
net.netfilter.nf_conntrack_tcp_timeout_syn_sent=60
net.netfilter.nf_conntrack_tcp_timeout_time_wait=60
#net.netfilter.nf_conntrack_tcp_timeout_unacknowledged=300
#net.netfilter.nf_conntrack_udp_timeout=30
net.netfilter.nf_conntrack_udp_timeout_stream=60
To apply the changes in the /etc/sysctl.conf file, run the command:
sysctl -p
More documentation:
https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
See also my articles:
- Monitoring nf_conntrack in Zabbix
- How to disable conntrack on Linux
- Increase the port range net.ipv4.ip_local_port_range
- How to fix the error “nf_conntrack: table full, dropping package”
- Messages net_ratelimit: X callbacks suppressed
- Changing gc_thresh
- How to detect DDOS attacks
- The script against DDOS attacks