Âîïðîñ ïî ip_conntrack

**perpetum** · 19-02-2010, 18:43

Originally Posted by Asgard

netstat -na | grep ESTABLISHED

è ÷òî òóò âèäíî?

ó ìåíÿ ïîäêëþ÷åíû 6 êîìïüþòåðîâ ïî LAN âñå êà÷àþò, ìíå íóæíî ïîñìîòðåòü äëÿ êàêîãî IP êàêèå ñåññèè îòêðûòû, ïðèìåðíî êàê â DIR-100.
Êàê ìíå ýòî ìîæíî ñäåëàòü?

**perpetum** · 21-02-2010, 22:39

ïîäñêàæèòå ïëèç

**Asgard** · 22-02-2010, 11:13

Originally Posted by perpetum

è ÷òî òóò âèäíî?

ó ìåíÿ ïîäêëþ÷åíû 6 êîìïüþòåðîâ ïî LAN âñå êà÷àþò, ìíå íóæíî ïîñìîòðåòü äëÿ êàêîãî IP êàêèå ñåññèè îòêðûòû, ïðèìåðíî êàê â DIR-100.
Êàê ìíå ýòî ìîæíî ñäåëàòü?

Åñëè è âûïîëíÿòü êîìàíäó òî ïîëíóþ

netstat -na | grep ESTABLISHED

íî è ïî netstat -na âèäíî ÷òî íà ðîóòåð îòêðûòî òîëüêî îäíî telnet-ñîåäèíåíèå.
Ç.Û. Êîìïüþòåðû ñ LAN êà÷àþò íå ñ ðîóòåðà, à çíà÷èò è íå îòêðûâàþò ñ íèì ñîåäèíåíèé.
Ç.Û.Û. Äëÿ Âàøèõ öåëåé èñïîëüçóéòå

Originally Posted by checat

cat /proc/net/ip_conntrack

**dieselslk** · 05-05-2010, 19:41

Çäðàñòå, ó ìåíÿ çàâèñàë ðîóðåð, ñêàçàëè óâåëè÷èòü Number of connections to track: â 2 ðàçà ÿ óâåëè÷èë, ÷åðåç íåêîòîðîå âðåìÿ îí òîæå çàâèñàë, ðåøèë óâåëè÷èòü ïî ìàêñèìóìó, ïîñòàâèë 16384.
È ñ òàêèì ïàðàìåòðîì ðîóòåð çàâèñàåò è âûäà¸ò ñ ëîãå òàêèå æå ñòðî÷êè.

Code:

00:12:55 06-05-2010 (warning|kern|kernel) ip_conntrack: table full, dropping packet.
00:12:58 06-05-2010 (warning|kern|kernel) NET: 1 messages suppressed.
00:12:58 06-05-2010 (warning|kern|kernel) ip_conntrack: table full, dropping packet.
00:13:04 06-05-2010 (warning|kern|kernel) NET: 48 messages suppressed.

×òî ìîíà ñäåëàòü?

Ðîóòåð D-link Dir 320 ïðîøèâêà WL500gpv2 1.9.2.7-d-r1445

**Power** · 05-05-2010, 21:03

Originally Posted by dieselslk

Çäðàñòå, ó ìåíÿ çàâèñàë ðîóðåð, ñêàçàëè óâåëè÷èòü Number of connections to track: â 2 ðàçà ÿ óâåëè÷èë, ÷åðåç íåêîòîðîå âðåìÿ îí òîæå çàâèñàë, ðåøèë óâåëè÷èòü ïî ìàêñèìóìó, ïîñòàâèë 16384.
È ñ òàêèì ïàðàìåòðîì ðîóòåð çàâèñàåò è âûäà¸ò ñ ëîãå òàêèå æå ñòðî÷êè.

Code:

00:12:55 06-05-2010 (warning|kern|kernel) ip_conntrack: table full, dropping packet.
00:12:58 06-05-2010 (warning|kern|kernel) NET: 1 messages suppressed.
00:12:58 06-05-2010 (warning|kern|kernel) ip_conntrack: table full, dropping packet.
00:13:04 06-05-2010 (warning|kern|kernel) NET: 48 messages suppressed.

×òî ìîíà ñäåëàòü?

Ðîóòåð D-link Dir 320 ïðîøèâêà WL500gpv2 1.9.2.7-d-r1445

16 òûñÿ÷ - ýòî äîâîëüíî ìíîãî. Íàäî èñêàòü, êòî èõ èñïîëüçóåò.
Ñêîëüêî êîìïîâ ó âàñ ê ðîóòåðó ïîäêëþ÷åíî?
Âêëþ÷åí ëè íà ðîóòåðå ôàåðâîëë?
Ïðèâåäèòå ðåçóëüòàò âûïîëíåíèÿ êîìàíä

Code:

iptables -L -nv
iptables -L -nv -t nat
iptables -L -nv -t mangle

**dieselslk** · 05-05-2010, 21:56

iptables -L -nv

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:51778
  258 19273 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
  660  172K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   20  1920 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
 1065  328K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    3   180 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 flags:0x17/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1         tcp dpt:80
 3794  310K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain FORWARD (policy ACCEPT 60620 packets, 3546K bytes)
 pkts bytes target     prot opt in     out     source               destination 
 1176 60988 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0   
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 105K 5125K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
1447K  425M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0   
    0     0 DROP       all  --  !br0   vlan1   0.0.0.0/0            0.0.0.0/0   
33668 2169K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT
    0     0 ACCEPT     all  --  *      br0     0.0.0.0/0            0.0.0.0/0   

Chain OUTPUT (policy ACCEPT 1819 packets, 500K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain BRUTE (0 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain MACS (0 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain SECURITY (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `ACCEPT '
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `DROP '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

iptables -L -nv -t nat

Code:

Chain PREROUTING (policy ACCEPT 47273 packets, 3124K bytes)
 pkts bytes target     prot opt in     out     source               destination 
40789 2697K VSERVER    all  --  *      *       0.0.0.0/0            92.255.166.74

Chain POSTROUTING (policy ACCEPT 36930 packets, 2405K bytes)
 pkts bytes target     prot opt in     out     source               destination 
42814 2744K MASQUERADE  all  --  *      ppp0   !92.255.166.74        0.0.0.0/0  
  187 12277 SNAT       all  --  *      br0     192.168.1.0/24       192.168.1.0/24      to:192.168.1.1

Chain OUTPUT (policy ACCEPT 319 packets, 45519 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination 
23668 1172K DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:40598 to:192.168.1.150:40598
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:9528 to:192.168.1.150:9528
13130 1200K DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:40598 to:192.168.1.150:40598
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:29026 to:192.168.1.241:29026
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:29026 to:192.168.1.241:29026
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9528 to:192.168.1.150:9528

iptables -L -nv -t mangle

Code:

Chain PREROUTING (policy ACCEPT 1734K packets, 483M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain INPUT (policy ACCEPT 6422 packets, 914K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 1726K packets, 482M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 2329 packets, 597K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 1730K packets, 483M bytes)
 pkts bytes target     prot opt in     out     source               destination

2 êîìïà ïîäêëþ÷åíî ÷åðåç Lan, ôàåðâîëë âêëþ÷åí.

**dieselslk** · 06-05-2010, 19:18

Power, ñíîâà çàâèñàåò... êàê ìîæíî ðåøèòü ïðîáëåìó ìîþ?

**Power** · 06-05-2010, 19:49

Originally Posted by dieselslk

Power, ñíîâà çàâèñàåò... êàê ìîæíî ðåøèòü ïðîáëåìó ìîþ?

Âîò ÷åñòíî - ÿ íå çíàþ. Ìîãó ïðåäëîæèòü ïîñòàâèòü ýêñïåðèìåíò:
1) ïåðåçàãðóæàåòå ðîóòåð
2) ïîäêëþ÷àåòåñü ê ðîóòåðó ïî telnet èëè ssh è äåðæèòå ïîäêëþ÷åíèå îòêðûòûì
3) ïîäêëþ÷àåòå ê ðîóòåðó ôëåøêó èëè äèñê, íà êîòîðûé îí ñìîæåò ïèñàòü è ñ êîòîðîãî âû ñìîæåòå íà êîìïå ïðî÷èòàòü (íàïðèìåð, ñ ôàéëîâîé ñèñòåìîé fat)
4) äîæèäàåòåñü, êîãäà â ëîãàõ ïîÿâèòñÿ "ip_conntrack: table full, dropping packet"
5) âûïîëíÿåòå êîìàíäû è êîïèðóåòå ðåçóëüòàò

Code:

iptables -L -nv
iptables -L -nv -t nat
iptables -L -nv -t mangle

6) êîïèðóåòå ñåáå ëîã ðîóòåðà èç âåá-ìîðäû ëèáî ñ ïîìîùüþ êîìàíäû

Code:

cat /tmp/syslog.log

7) âûïîëíÿåòå êîìàíäû

Code:

cat /proc/net/ip_conntrack > /tmp/ip_conntrack
gzip /tmp/ip_conntrack

8) êîïèðóåòå ôàéë /tmp/ip_conntrack.gz íà ôëåøêó èëè êàêèì-òî äðóãèì ñïîñîáîì çàáèðàåòå åãî ñ ðîóòåðà. Ñêîïèðîâàòü ìîæíî, íàïðèìåð, êîìàíäîé

Code:

cp /tmp/ip_conntrack.gz /tmp/mnt/disc0_1/ # çàâèñèò îò òîãî, êóäà ñìîíòèðîâàíà ôëåøêà
# è íå çàáóäüòå ïåðåä âûòàñêèâàíèåì îòìîíòèðîâàòü
umount /tmp/mnt/disc0_1

Íó è â êîíöå êîíöîâ, âûêëàäûâàåòå âñ¸ ñîáðàííîå äîáðî òóò.
Ñëåäóåò çàìåòèòü, ÷òî â ôàéëå ip_conntrack.gz áóäóò IP-àäðåñà è ïîðòû âñåõ ñîåäèíåíèé, êîòîðûå óñòàíîâëåíû ÷åðåç ðîóòåð (òà ñàìàÿ òàáëèöà, êîòîðàÿ ïåðåïîëíÿåòñÿ). Òàì íå áóäåò ñàìèõ äàííûõ, êîòîðûå ïåðåäàþòñÿ, íî âñ¸ ðàâíî äîñòàòî÷íî ëè÷íàÿ èíôîðìàöèÿ.

**dieselslk** · 07-05-2010, 23:22

Óâàæàåìûé Power è âñå êòî ìîæåò ïîìîùü , ÿ ïðî÷èòàë âàøå ñîîáùåíèå è ïðîâ¸ë ýêñïåðèìåíò, ñèäåë æäàë ñòðî÷êè "ip_conntrack: table full, dropping packet", ñíà÷àëà èõ íå íàáëþäàëîñü, ðåøèë ñáðîñèòü íàñòðîéêè ðîóòåðà, ðîóòåð ïîðàáîòàë 13 ÷àñîâ è ïîÿâèëèñü ýòè ñòðî÷êè êîòîðûå ÿ æäàë

Number of connections to track áûëî ïî äåëîëòó 4096
âîò ðåçóëüòàò êîìàíä: result.txt

Code:

iptables -L -nv
iptables -L -nv -t nat
iptables -L -nv -t mangle

à âîò ëîã ip_conntrack.gz: ip_conntrack.gz

ß íå ñòàë ñòàâèòü â 2 ðàçà áîëüøå ïîäêëþ÷åíèé èëè ìàêñèìàëüíûé ïàðàìåòð, ò.ê. äî ñáðîñà ïàðàìåòðîâ òàêàÿ æå áåäà áûëà.
Òàêàÿ áåäà íà÷àëàñü 3 íåäåëè íàçàä, è êàæäûé äåíü ïðèõîäèòñÿ ïî ïàðó ðàç âûêëþ÷àòü/âêëþ÷àòü ðîóòåð.
È ïî÷åìó òî òàáëèöà ìàðøðóòèçàöèè íå î÷èùàåòñÿ, ñêàæèòå ïî÷åìó?
È åù¸ íà îäíîì êîìïå èãðàþò â ïîêåð íà 12 ñòîëîâ, åñòü ïîäîçðåíèÿ ÷òî îíè çàáèâàþò ñèëüíî òàáëèöó, íî ÿ äàæå êîãäà ìàêñ ïàðàìåòð ó Number of connections to track ïîñòàâèë, íè÷åãî íå èçìåíèëîñü.
Ïðîøó ïîìîùè

P.S. Ïîéäó ðåáóò

**Power** · 07-05-2010, 23:47

Originally Posted by dieselslk

Óâàæàåìûé Power è âñå êòî ìîæåò ïîìîùü , ÿ ïðî÷èòàë âàøå ñîîáùåíèå è ïðîâ¸ë ýêñïåðèìåíò, ñèäåë æäàë ñòðî÷êè "ip_conntrack: table full, dropping packet", ñíà÷àëà èõ íå íàáëþäàëîñü, ðåøèë ñáðîñèòü íàñòðîéêè ðîóòåðà, ðîóòåð ïîðàáîòàë 13 ÷àñîâ è ïîÿâèëèñü ýòè ñòðî÷êè êîòîðûå ÿ æäàë

Number of connections to track áûëî ïî äåëîëòó 4096
âîò ðåçóëüòàò êîìàíä: result.txt

Code:

iptables -L -nv
iptables -L -nv -t nat
iptables -L -nv -t mangle

à âîò ëîã ip_conntrack.gz: ip_conntrack.gz

ß íå ñòàë ñòàâèòü â 2 ðàçà áîëüøå ïîäêëþ÷åíèé èëè ìàêñèìàëüíûé ïàðàìåòð, ò.ê. äî ñáðîñà ïàðàìåòðîâ òàêàÿ æå áåäà áûëà.
Òàêàÿ áåäà íà÷àëàñü 3 íåäåëè íàçàä, è êàæäûé äåíü ïðèõîäèòñÿ ïî ïàðó ðàç âûêëþ÷àòü/âêëþ÷àòü ðîóòåð.
È ïî÷åìó òî òàáëèöà ìàðøðóòèçàöèè íå î÷èùàåòñÿ, ñêàæèòå ïî÷åìó?
È åù¸ íà îäíîì êîìïå èãðàþò â ïîêåð íà 12 ñòîëîâ, åñòü ïîäîçðåíèÿ ÷òî îíè çàáèâàþò ñèëüíî òàáëèöó, íî ÿ äàæå êîãäà ìàêñ ïàðàìåòð ó Number of connections to track ïîñòàâèë, íè÷åãî íå èçìåíèëîñü.
Ïðîøó ïîìîùè

P.S. Ïîéäó ðåáóò

Âî-ïåðâûõ, âû íå ïðèëîæèëè ëîã ðîóòåðà.
Âî-âòîðûõ, íàäî áûëî âñ¸-òàêè âûñòàâèòü Number of connections to track íà ìàêñèìóì, ñòàòèñòèêà áóäåò òî÷íåå.

Ïî èìåþùèìñÿ äàííûì ìîãó ñêàçàòü, ÷òî ñåé÷àñ áîëüøóþ ÷àñòü ñîåäèíåíèé çàíèìàåò òî, ÷òî, êàê ÿ ïîëàãàþ, ÿâëÿåòñÿ òîððåíòîì, íà ìàøèíàõ 192.168.1.150 è 192.168.1.241 (íà ïîñëåäíåé â áîëüøåé ñòåïåíè).

Êñòàòè, íå çíàþ, ñâÿçàíî ëè ýòî, íî ÿ áû íà âàøåì ìåñòå ïîïðîáîâàë îòêëþ÷èòü íà ðîóòåðå UPnP è íàñòðîèòü ïðîáðîñ ïîðòîâ âðó÷íóþ.

**dieselslk** · 08-05-2010, 00:09

Âîò ëîã syslog.txt

Ñåé÷àñ ïîñòàâëþ ìàêñ ïàðàìåòð, îòêëþ÷ó UPnP.
Òîêà êàêèå ïîðòû ïðîáðàñûâàòü? è êàê ïðàâèëüíî?

**chiefff** · 14-05-2010, 20:18

Òîâàðèùè êòî ïîäñêàæåò, ÷òî ñ ýòèì äåëàòü? Íåäåëþ øëî íîðìàëüíî, âäðóã ñëó÷èëàñü òàêàÿ îêàçèÿ

May 14 23:00:35 kernel: printk: 1 messages suppressed.
May 14 23:00:35 kernel: nf_conntrack: table full, dropping packet.

Ðîóòåð ÐÒ-Í16, ïðîøèâêà RT-N16-1.9.2.7-rtn-r1557.trx

Ñïàñèáî

**Power** · 14-05-2010, 22:34

Íó ïîïðîáóéòå óâåëè÷èòü ëèìèò êîëè÷åñòâà ñîåäèíåíèé ("number of connections to track", åñëè òàêîé ïàðàìåòð åñòü â âåá-ìîðäå).

**chiefff** · 16-05-2010, 09:03

Originally Posted by Power

Íó ïîïðîáóéòå óâåëè÷èòü ëèìèò êîëè÷åñòâà ñîåäèíåíèé ("number of connections to track", åñëè òàêîé ïàðàìåòð åñòü â âåá-ìîðäå).

Íàøåë, ñòîÿëî îêîëî 4000, ïåðåñòàâèë íà ìàêñèìóì 16384
ïîñìîòðèì
Ñïàñèáî

**chiefff** · 16-05-2010, 20:19

Originally Posted by chiefff

Íàøåë, ñòîÿëî îêîëî 4000, ïåðåñòàâèë íà ìàêñèìóì 16384
ïîñìîòðèì
Ñïàñèáî

Ê êîíöó äíÿ âñå ðàâíî ïîÿâèëàñü çàïèñü â ëîãàõ

Thread: Âîïðîñ ïî ip_conntrack

Thread Tools

Rate This Thread

Display

Hybrid View

ip_conntrack

?

nf_conntrack: table full, dropping packet

Similar Threads

Âîïðîñ ïî IP-òåëåôîíèè.

Âîïðîñ íàñ÷åò Torrent

Âîïðîñ ïðî ðîóòèíã

Âîïðîñ ïî rrd tool.

max connections -- ip_conntrack

Tags for this Thread

Posting Permissions