The conntrack table on my server has over 1.2 million connections, I keep bumping up the limit but the table just continues to grow (but not monotonically — it does go down sometimes).
$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
1278865
This is true despite the fact that netstat is quite reasonable:
$ netstat -ant | wc -l
908
I am running Debian with Kernel 2.6.32-5-amd64. I understand that the conntrack table keeps recent connection information and so it is expected that it would be larger than netstat, but this behavior still seems rather extreme! The box is being used primarily as a web server, and mod_python in Apache is being used to handle connections. There should be no connections outside of these. There are no excess mod_python threads running (ps -ef looks normal, top looks normal), and the error logs from Apache and mod_python look normal. (I'm unable to post detailed error log information for privacy reasons).
In ip_conntrack, the IP addresses seem to be fairly distributed and on port 443 (as one would expect with a web server serving exclusively over HTTPS). I'm not sure what might be causing the runaway IP connections and I can't find information on the Internet suggesting this is a known issue. Is there an Apache configuration or anything that might be the culprit? Other ideas? Many thanks.
Best Answer
To answer your question you can set net.netfilter.nf_conntrack_tcp_timeout_established in sysctl.conf The default is like 5 days, which can be dramatically lowered with out affecting any likely 443 traffic. net.ipv4.netfilter.ip_conntrack_max can also be bumped up.