Resolving nf_conntrack Table Full Packet Drops

Resolving nf_conntrack Table Full Packet Drops

Overview

The nf_conntrack table is typically located in the /proc/net directory and appears only when the firewall is active. This table records connection states for firewall rules. To examine the nf_conntrack table: 
cat /proc/net/nf_conntrack
ipv4     2 tcp      6 86 TIME_WAIT src=10.16.104.60 dst=10.0.32.107 sport=36226 dport=22 src=10.0.32.107 dst=10.16.104.60 sport=22 dport=36226 [ASSURED] mark=0 zone=0 use=2

Solutions

1. Disable the Firewall
systemctl stop iptables
systemctl disable iptables
Important: When the firewall is disabled, avoid using iptables commands (like iptables -nL) to check status. This will activate the firewall with empty rules, which still tracks all connections but provides no filtering, wasting resources and potentially causing packet drops!
2. Kernel Parameter Optimization
2.1. Connection Tracking Table
The theoretical maximum value for CONNTRACK_MAX is calculated as: CONNTRACK_MAX = RAM_SIZE (in bytes) / 16384 / (ARCH / 32) For a 64GB system: CONNTRACK_MAX = 64*1024*1024*1024/16384/2 = 2097152 Set this value with: 
sysctl -w net.netfilter.nf_conntrack_max=2097152
2.2. Hash Table
Hash table size is typically 1/8 of the total table, with a maximum of 1/2. CONNTRACK_BUCKETS = CONNTRACK_MAX / 8 For a 64GB system, the optimal hash range is 262144 to 1048576. Check current value with: 
sysctl net.netfilter.nf_conntrack_buckets
Set the value through: 
echo 262144 > /sys/module/nf_conntrack/parameters/hashsize
Alternatively, create a new file /etc/modprobe.d/conntrack.conf and reload the module: 
options nf_conntrack hashsize=262144
2.3. Complete Parameter Set
net.nf_conntrack_max=1048576
net.netfilter.nf_conntrack_max=1048576
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_established=3600
3. Using Raw Tables
Add the "untracked" designation. This approach is suitable for desktop systems or servers with flexible requirements, as it maintains connection state mechanisms for external communication. Modify /etc/sysconfig/iptables: 
# Raw table configuration
iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT
iptables -t raw -A PREROUTING -p tcp -m multiport --dport 80,81,82 -j NOTRACK
iptables -t raw -A PREROUTING -p tcp -m multiport --sport 80,81,82 -j NOTRACK
4. Remove nf_conntrack Module
Disable tracking for all connections. This requires explicit rules for all incoming and outgoing traffic. 
# Check loaded modules
lsmod | grep nf_conntrack

# Remove specific modules
modprobe -r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state

# Remove the main nf_conntrack module
modprobe -r nf_conntrack

Tags: firewall nf_conntrack iptables network Linux

Posted on Sat, 09 May 2026 10:51:26 +0000 by echox

Hot Tags

©2026 Freaks City