Updated: netfilter's Connection Tracking system (nf_conntrack)
Emma Heinle
new
Updated: HowTo: switch to mise from asdf
Andreas Vöst
new
Restoring old Postgres dumps with pg_restore v11 and higher
Claus-Theodor Riegg
5 years
Find unmaintained packages with apt-forktracer
Andreas Vöst
2 years
tofu/terraform workspaces with terragrunt
Ruben Aleman
2 months
Running Docker Container with emulated Architecture
Ruben Aleman
2 months
wkhtmltopdf on your appserver
Stefan Xenopol
3 months
nginx proxy_hide_header when used in multiple contextes
Kim Klotz
9 years
Howto prevent service restarts on Debian package upgrades
Moritz Kraus
3 months
Redis Sentinel manual failover
Claus-Theodor Riegg
9 years
Fix "double free or corruption (out)"
Kim Klotz
5 months
HowTo: Add custom headers to docker client requests
Ruben Aleman
5 months
Controlling multiple PostgreSQL installations on Debian/Ubuntu
Claus-Theodor Riegg
8 years
memcached: retreive connection information
Moritz Kraus
6 months
HowTo: Create scram-sha-256 password hash for use with postgres
Emma Heinle
6 months
Standardapplikationen in Ubuntu ändern
Moritz Kraus
7 months
Useful PostgreSQL commands
Claus-Theodor Riegg
8 years
Repair broken etcd node
Claus-Theodor Riegg
7 years
GitLab CI: debugging failed jobs
Marc Dierig
1 year
BTRFS full disk encryption on Ubuntu 24.04
Andreas Vöst
8 months
SSH: Fix host key verification error after makandra servers were upgraded to a new Ubuntu version
Andreas Vöst
4 years
Use chronic instead of redirecting cronjob output to /dev/null
Emma Heinle
8 months
Manually create Postgres password hash
Stefan Langenmaier
1 year
AWS EC2: Burstable vs. Fixed-CPU Instances
Andreas Vöst
8 months

Updated: netfilter's Connection Tracking system (nf_conntrack)

Posted . Visible to the public. Auto-destruct in 60 days

Add what to do with a lot of UNREPLIEID entries

makandracards.com

Changes

  • # What is netfilter's Connection Tracking system?
  • The [connection tracking system](https://wiki.nftables.org/wiki-nftables/index.php/Connection_Tracking_System) often referenced as `nf_conntrack` is part of the Netfilter framework. It allows the Linux kernel to keep track of all logical network connections and sessions. In combination with `iptables` this feature is used to achieve a stateful firewall.
  • # Why to care about `nf_conntrack`?
  • All connections are stored in the connection tracking table. The size of the tracking table is based on the memory of the system. A node with 4 GB RAM will get a maximum table size of 64 KB.
  • On most systems the default settings are fine. However if you're running a VM host which has a lot of virtual machines running which by themselves have a lot of connections the connection tracking table can get filled. This could happen if you're running virtual load balancers on your VM hosts.
  • **If the table is full and there are still many new connections coming in the kernel will start to drop packages.** You might not be able to establish new connections and `dmesg` will output messages like:
  • ```
  • 2021-06-29T09:21:01,266251+02:00 nf_conntrack: nf_conntrack: table full, dropping packet
  • 2021-06-29T09:21:01,267799+02:00 nf_conntrack: nf_conntrack: table full, dropping packet
  • 2021-06-29T09:21:01,267806+02:00 nf_conntrack: nf_conntrack: table full, dropping packet
  • ```
  • # Interact with `nf_conntrack`
  • It's possible to interact with `nf_conntrack` directly via the [/proc/sys/net/netfilter/nf_conntrack_* variables](https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt) or through a userspace tool like `conntrack`.
  • ## Get the maximum size of the connection tracking table
  • ```
  • $ cat /proc/sys/net/netfilter/nf_conntrack_max
  • ```
  • ## Get the size of the currently allocated flow entries
  • ```
  • $ cat /proc/sys/net/netfilter/nf_conntrack_count
  • ```
  • ## Raise the connection tracking table size to 512 KB
  • ```
  • $ sudo sysctl -w net.nf_conntrack_max=524288
  • ```
  • **Attention:** If you're using Proxmox the `sysctl` value will get restored after a short moment. Change the option `nf_conntrack_max` in the [host specific firewall configuration](https://pve.proxmox.com/wiki/Firewall) instead.
  • ## List all connection tracking table entries
  • ```
  • $ sudo conntrack -L
  • ```
  • ## Check for temporary entries
  • These entries [will be deleted](https://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.17) as soon as the system runs out of connection tracking entries.
  • ```
  • $ sudo conntrack -L | grep 'UNREPLIED'
  • -```
  • +```
  • +
  • +Analyse why there are so many `UNREPLIED` entries in the conntrack table. E.g. if most of them come from the same IP address but there's different destination addresses, there might be a portscan in progress.
  • +
  • +After you have analysed or stored away the log, you should clean up unused entries to fix our monitoring, since these stale entries will not go away on their own and we won't see if another issue (e.g. an attack) will fill up our conntrack tables.
  • +
  • +Decide which option resolves the situation best with minimal impact on production:
  • +
  • +```shell
  • +$ sudo  conntrack -D -s 49.12.3.247 # example: delete all conntrack table entries from portscan02-prod.makandra
  • +$ sudo conntrack -D --state UNREPLIED # delete all UNREPLIEID entries in the conntrack table
  • +$ sudo conntrack -F # flush the whole table. ATTENTION: This will kill all connections!
  • +```
  • +
  • +
  • +
Emma Heinle
Say thanks
License
Source code in this card is licensed under the MIT License.
Privacy policy Terms of service Imprint
This website uses short-lived cookies to improve usability.
or learn more