iptables – fall back to stateless filtering

lxgr asked:

Is it possible to make iptables fall back to stateless filtering under load, during an attack etc, when the connection tracking tables are full and new connections are about to be dropped?

I’m aware that this would have some serious security implications, and the fallback rules should therefore be selected very conservatively. Also, NAT would unavoidably break when disabling connection tracking, but this is not an issue here (the host in question is an actual firewall).

Any solution would likely have two parts:

  • React to a full state table within iptables (That is, without parsing logs and modifying rules via a cron job or daemon)
  • Disable all or some stateful rules, or add some new, higher priority rules that accept packets before state tracking is applied

Can that be done? If not, is there a better way than detecting a table overflow via some kind of log parsing and reacting by insertion or deletion of rules, or unloading of the connection tracking module?

My answer:

If you’re running into a full connection tracking table, then simply enlarge it.

Set the following in /etc/sysctl.conf or a file which it includes:

net.ipv4.netfilter.ip_conntrack_max = 131072

(Raise the number until you have enough space.)

On much older Linux servers, you must use the equivalent old deprecated sysctl:

net.ipv4.ip_conntrack_max = 131072

To apply the change, reboot or run:

sysctl -p

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.