Note: ip_conntrack interface is getting aged. There is a new set of tools conntrack_tools, http://conntrack-tools.netfilter.org/.

There are a few things we can do to tweak ip_conntrack.

Increase the value of ip_conntrack_max

To find the current setting of ip_conntrack_max:

# cat /proc/sys/net/ipv4/ip_conntrack_max

To temporarily change this value, do

# echo "new_value" > /proc/sys/net/ipv4/ip_conntrack_max

To permanently change this value, do

# sysctl -w net.ipv4.ip_conntrack_max=new_value

Lower ip_conntrack timeout

# echo "new_value" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

Or do

# sysctl -w net.ipv4.ip_conntrack_tcp_timeout_established=new_value

Related admin commands

To check the ip_conntrack buffer:

# grep conn /proc/slabinfo

To check the top 5 IPs recorded by ip_conntrack:

# cat /proc/net/ip_conntrack | cut -d ' ' -f 10 | cut -d '=' -f 2 | sort | uniq -c | sort -nr | head -n 5

Reference:

• http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
• http://www.kalamazoolinux.org/presentations/20010417/conntrack.html