Server Administration & Management

How to increase IP_CONNTRACK value

The Linux Netfilter system (commonly known as the iptables firewall) includes a facility to track connections provided by the ip_conntrack kernel module. The state of a connection is tracked to allow an efficient traversal through the Netfilter firewall tables, as well as to provide the ability to filter based on detailed state of a connection. You may temporarily increase IP_CONNTRACK by echoing a high value to ip_conntrack_max file.

# echo 400000 >> /proc/sys/net/ipv4/ip_conntrack_max

Please note that  /proc is a virtual space. So if you restart iptables or if you reboot the machine the value set will be lost.
If you want to keep the ip_conntrack value permanently, then add the ip_conntrack_max value to  the /etc/sysctl.conf file. Open the file  /etc/sysctl.conf and add the following lines:-

# vi /etc/sysctl.conf

net.ipv4.ip_conntrack_max = CONNTRACK_MAX

Save the changes quit the editor. Execute the following command:

# sysctl -p

You can also do the same from the console  also.

# sysctl -w net.ipv4.ip_conntrack_max=CONNTRACK_MAX

# sysctl -p

To see the new value  execute the following command:-

# sysctl -a | grep conntrack

net.ipv4.ip_conntrack_max = 34576
net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0

For servers with APF you need to add the entries in the /etc/apf/conf.apf configuration file. Locate  the entry SYSCTL_CONNTRACK  in the  file /etc/apf/conf.apf and change the value of it. Restart APF once this is done. That’s it.

Another option is to add the following entry in the  /etc/rc.d/rc.local file.

# echo 400000 > /proc/sys/net/ipv4/ip_conntrack_max

July 23, 2011 Posted by | Tips & Tricks, Unix/Linux | , , , | Leave a comment