[root@centos ~]# modprobe ip_conntrackIn other operating systems like Debian or Ubuntu Server, first of all you must install the conntrack package and load thenf_conntrack_ipv4 module (if you want to work with IPv6, you will have to load the nf_conntrack_ipv6 module).
root@ubuntu-server:~# aptitude install conntrack
root@ubuntu-server:~# modprobe nf_conntrack_ipv4The conntrack module allows the kernel to register in a table all network connections of the system (established, time_wait, close, etc.). It used by several applications such as iptstate (it shows information about the state of the system connections) or Shorewall (firewall).
Another example of use for this module it is for instance, when the server has to realize NAT tasks with iptables and it is necessary to keep a table of connections implicated.
The file where conntrack logs all connections is /proc/net/ip_conntrack.
root@ubuntu-server:~# cat /proc/net/ip_conntrack
tcp 6 89 TIME_WAIT src=192.168.1.11 dst=192.168.1.12 sport=59302 dport=10050 packets=5 bytes=291 src=192.168.1.12 dst=192.168.1.11 sport=10050 dport=59302 packets=5 bytes=289 [ASSURED] mark=0 secmark=0 use=1
...
root@ubuntu-server:~# conntrack -L
tcp 6 89 TIME_WAIT src=192.168.1.11 dst=192.168.1.12 sport=59302 dport=10050 packets=5 bytes=291 src=192.168.1.12 dst=192.168.1.11 sport=10050 dport=59302 packets=5 bytes=289 [ASSURED] mark=0 secmark=0 use=1
...The two first fields are the connection protocol (TCP, 6) and then is the connection state (TIME_WAIT). The rest of the fields represent the IP addresses and ports involved, as well as the number of packets and bytes exchanged between the two points of the connection.
You have also to take into account that Linux saves the connection state in memory, and each of them uses around 350 bytes.
If you want to know how many open connections has got the system, you can utilize the following sentences.
root@ubuntu-server:~# cat /proc/net/ip_conntrack | wc -l
856
root@ubuntu-server:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
856
root@ubuntu-server:~# conntrack -C
856This value is quite important because if at any moment we appreciate that any of our services works slowly (for instance Apache) or many connections are rejected, it can be due to which the number of open connections exceeds the maximum number of connections allowed.
root@ubuntu-server:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536The size of the hash table is also limited.
root@ubuntu-server:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
16384If you want to modify it, you must do it when the module is loaded.
root@ubuntu-server:~# modprobe nf_conntrack_ipv4 hashsize=32768Other important parameters which can be changed to optimize the system are related to the time of the different types of connections.
root@ubuntu-server:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
432000
root@ubuntu-server:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
120
root@ubuntu-server:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
60The first parameter sets up the maximum lifetime for an already established connection (432000 sg can be long; 28800 could be enough). The second and third are the maximum lifetime for a waiting connection and for the remote endpoint closes the socket.
So as to list all variables based on the conntrack module, type the next order.
root@ubuntu-server:~# sysctl -a | grep conntrack | grep ipv4
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent2 = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_tcp_loose = 1
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_max = 15768
net.ipv4.netfilter.ip_conntrack_count = 2
net.ipv4.netfilter.ip_conntrack_buckets = 4096
net.ipv4.netfilter.ip_conntrack_checksum = 1
net.ipv4.netfilter.ip_conntrack_log_invalid = 0And if you want to change the value of any variable, you must add it within the sysctl.conf file and reload the settings.
root@ubuntu-server:~# cat /etc/sysctl.conf
...
net.ipv4.netfilter.ip_conntrack_max = 131072
root@ubuntu-server:~# sysctl -pOne interesting option for the conntrack command is the possibility to get the statistics about the connection tracking.
root@ubuntu-server:~# conntrack -S
entries 2
searched 0
found 1107
new 4
invalid 0
ignore 0
delete 2
delete_list 2
insert 4
insert_failed 0
drop 0
early_drop 0
icmp_error 0
expect_new 0
expect_create 0
expect_delete 0
search_restart 0Another useful feature for conntrack is to output the connection state on real-time, similar to when you run a "tail -f" on a file.
root@ubuntu-server:~# conntrack -EWe can conclude with this couple of articles that the conntrack module is other helpful way to improve the Linux performance.
Source: http://redes-privadas-virtuales.blogspot.com/2011/02/following-up-network-connections-with_27.html
Không có nhận xét nào:
Đăng nhận xét