Home / server / Questions / 43679
Accepted
reconbot
Asked: 2009-07-22 10:22:52 +0800 CST

Disable connection tracking with UFW for port 80

  • 772

During load testing my server is dropping packets due to "connection tracking" way before it's running out of resources. I'm using Ubuntu Jaunty with ufw. In my syslog I get:

ip_conntrack: table full, dropping packet.

I looked at upping the max connection table size, but I don't know of an advantage for tracking these connections on these ports. I would like to know how to use ufw to tell it not to track requests to port 80 and 443.

Clarifying

  • No natting needed, it's just a web server.

Thank you.

firewall linux ubuntu ufw

3 Answers

  1. iptables -A PREROUTING -p tcp --dport 80 -j NOTRACK 
iptables -A PREROUTING -p tcp --dport 443 -j NOTRACK

    will disable connection tracking just for these ports.

    • 4
  2. Best Answer

    Connection tracking is an on/off switch, you cannot selectively disable it for some kind of traffic. You should increase the number of connections tracked via varius nf_conntrack_max options under /proc/sys/net. You can also consider enabling syncookies to reduce congestion effects.

    Edit: It seems that iptables with -j NOTRACK allows you to disable connection tracking selectively.

    • 0

  3. Do you NAT? I believe without ip_conntrack you can't NAT.

    • -1