A reminder for nf_conntrack


The ‘Oddities with rsntp on Centos 7’ got me thinking about my Montreal VPS that will not keep in the China pool. Granted there are some monitor problems I had also forgotten to modify my nf_conntrack settings on that VPS. Looking at dmesg the tables have indeed been full. Please don’t forget to modify yours (along with any more socket options).



Better, just let NTP traffic bypass the connection tracker to eleminate those problems at the root :wink:

iptables -t raw -I PREROUTING -p udp -m udp --dport 123 -j CT --notrack  
iptables -t raw -I PREROUTING -p udp -m udp --sport 123 -j CT --notrack  
iptables -t raw -I OUTPUT -p udp -m udp --dport 123 -j CT --notrack  
iptables -t raw -I OUTPUT -p udp -m udp --sport 123 -j CT --notrack  

This will simply let the connection tracker just ignore all traffic from or to port 123/UDP.
But, of course, you then cannot use “-m state” for those ports and you need to make sure that both outgoing and incoming traffic (answers) can flow through your firewall.



I might add that some deamons (like Chrony but others as well), will log some or all clients by default and turning that off was main thing that made my server go from being not at all able to handle the CN traffic to being able to handle it easily with no issues.



With ntpd if you are running high-traffic with the limited statement (which most are) it is worth looking at the mru setting and increasing some of the settings, most notably the maxmem variable.


There is additional documentation & discussion if you do a little googling.

On my server I use the following, but depending on the QPS you might need to increase them more.

mru initmem 4 incmem 4 maxmem 4096 mindepth 1200 maxage 256



Thanks, I added these to my four servers =)