I would like to make my system more resilient against certain failure. When the
system makes rapid outbound TCP connections fail, thenf_conntracktable
fills up withTIME_WAITentries. This causes other operations on the
system to fail as there are no morenf_conntrackentries available.I know that it is possible to modify certain parameters such as
tcp_tw_reuse, &tcp_fin_timeout, but am reluctant to make drastic
changes there (based on warnings like this)What I was hoping to do prior to any such changes above and application
changes is to harden my system against complete depletion ofnf_conntrack
entries by restricting outgoing connections by each susbsystem (by using
the port numbers, ip addresses etc). I thought I would be able to add
rules as follows:-A OUTPUT -p tcp --syn --dport 9702 -m connlimit --connlimit-above 3 -j REJECT --reject-with tcp-resetBut this seems to only impact active connections (which is understandable, as these are effectively gone). Is
there a way to be able to limit outgoing connection per port/app in a way
that it will takeTIME_WAITsockets into account?Thanks
Answer
If you don’t actually need NetFilter connection tracking, I’d suggest you either disable nf_conntrack altogether (by unloading it), or add a NOTRACK rule to the top of your iptables ruleset.
Attribution
Source : Link , Question Author : nhed , Answer Author : ch2500
