netfilter/iptables FAQ: Problems at runtime

3. Problems at runtime

3.1 My syslog or my console shows the message:


NAT: X dropping unteracked paket Y Z aaa.aaa.aaa.aaa -> bbb.bbb.bbb.bbb

This message is printed by the NAT code. It drops packets, because in order to do NAT it has to have valid connection tracking information. For all packets, for which connection tracking was unable to determine conntrack information AND for which the user has a NAT rule, this message is printed.

Possible reasons are:

maximum limit of entries in the conntrack database reached
couldn't determine inverted tuple (multicast, broadcast)
kmem_cache_alloc fails (out of memory)
reply on unconfirmed connection
icmp packet too short
icmp is fragmented
icmp checksum wrong

If you want to have a more detailed logging of these packets (i.e. if you suspect it are remote probe / scanning packets), use the following rule:


iptables -t mangle -A PREROUTING -j LOG -m state --state INVALID

And yes, you have to put the rule in the mangle table, because the packets get dropped by the NAT code before they reach the filter table.

3.2 I'm unable to use netfilter in combination with the Linux bridging code

So you want to build a completely transparent firewall? Great idea! Unfortunately the bridging code bypasses the normal network stack including netfilter.

But there is somebody writing a replacement for the current bridging code, have a look at http://www.math.leidenuniv.nl/~buytenh/bridge

3.3 The IRC module is unable to handle DCC RESUME's

Well, that's half the truth. Only the NAT module is unable to handle them. If you just use firewalling without NAT it should work fine.

3.4 How does SNAT to multiple addresses work?

Netfilter tries to mangle as least as possible. So if we have a freshly- rebooted machine, and somebody behind the SNAT box opens a connection with local port 1234, the netfilter box only mangles the IP address and the port stays the same.

As soon as somebody else opens another connection with the same source port, netfilter would have to mangle IP and port if it only has a single IP for SNAT.

But if there are more than one available, it again only has to mangle the IP part.

3.5 ip_conntrack: maximum limit of XXX entries exceeded

If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to 4096 simultaneous connections. To increase this limit, type:


echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

Of course you can use any number which fits into an 'int' on your hardware (that is, 32bits on most popular platforms).

Next Previous Contents