how to modify the SNAT 16383 connection limit

how to modify the SNAT 16383 connection limit

Post by kyog.. » Sat, 26 Nov 2005 12:13:44

I setup a linux box to do the DNAT and the SNAT.

ipnat rule is
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8888 -j DNAT
-A POSTROUTING -o eth0 -p tcp -j SNAT --to-source

it works well, but I found the connection count can't go more then
16383, even
the machine has lots of RAM free and idle cpu. And this is the setting.



net.ipv4.ip_conntrack_max = 10458520
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_buckets = 1307315
net.ipv4.netfilter.ip_conntrack_max = 10458520

can anybody help me, how to tune the netfiler to support over 16383
connection without using another machine. Thank you.


1. 'snat' snats everything! (almost)

I have got some way with setting up iptables for firewalling and NAT
for my LAN. I have read most of the howtos, faqs and example iptables
setup scripts but I am now stuck!

I have set up iptables like this:
IPT="/sbin/iptables -v"               # Location of iptables binary plus
LAN_IF=eth0                     # LAN interface
WAN_IF=ppp0                     # WAN interface
LAN_IP=            # LAN IP addresses
WAN_IP=staticipaddress          # WAN IP address

# Change source IP address of Internet traffic before forwarding.
$IPT -t nat -A POSTROUTING -o $WAN_IF -j SNAT --to-source $WAN_IP

# Activate forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

This works in that I can access the Internet from another machine on
the LAN (also news and ping). However it _doesn't_ work as expected in

New (i.e. opened after running the iptables script) ssh sessions
connections fail to connect, but old ones continue to work OK.

However smb works fine, even if Samba is restarted after running the

I thought that entries in the POSTROUTING table only acted on packets
that were on their way out of the box. Any explanations and
suggestions for getting ssh to work would be welcome.

Mark Atherton

2. Q: cdda2wav on other platforms ?

3. SNAT/MASQUERADE with two uplink connections

4. Superblock

5. Limit maximum TCP connections for NAT connection

6. GeForce 2 and Caldera eDesktop 2.4 installation problems

7. Can linux limit a 64K connection to a 32K or 16K connection

8. FAQ?

9. Modify Wietse Venema's rpcbind to limit ports used?

10. modifying in the kernel the user's default limits

11. how to modify postgresql startup script to enable tcp/ip connection?

12. How to modify "Reply To" address for a ppp connection?

13. Last-modify time on directories containing modified files