Hardy Heron installs just nicely, but it’s got some issues when it comes to moderate traffic loads and NAT state maintenance…

After installation if Hardy Heron, if you use netfilter/iptables to provide both security and NAT services you may run into issues with nf_conntrack not expiring connection state entries fast enough. After some poking around on google I was resigned to rebooting every day, that seemed crappy and almost microsoft-like. So, taking a closer look at the system level variables at my disposal with sysctl I found:


########
# special additions for tcp speedups
net/ipv4/tcp_tw_reuse = 1
net/ipv4/tcp_tw_recycle = 1
net/core/somaxconn = 1024
net/ipv4/ip_local_port_range = 2048 65000
#
# nf_conntrack additions
net/netfilter/nf_conntrack_generic_timeout = 300
net/netfilter/nf_conntrack_tcp_timeout_established = 14400
net/netfilter/nf_conntrack_tcp_timeout_fin_wait = 20
net/netfilter/nf_conntrack_tcp_timeout_close_wait = 20
net/netfilter/nf_conntrack_tcp_timeout_last_ack = 10
net/netfilter/nf_conntrack_tcp_timeout_time_wait = 20
net/netfilter/nf_conntrack_tcp_timeout_close = 10
net/netfilter/nf_conntrack_udp_timeout = 10
net/netfilter/nf_conntrack_udp_timeout_stream = 30
net/netfilter/nf_conntrack_icmp_timeout = 5

This reduces some conntrack timeouts significantly, take:


net/netfilter/nf_conntrack_tcp_timeout_established = 14400

for instance which was set to something on the order of: 432000 which is about (432000/86400 = 5 days). So, anything that didn’t end properly (apparently lots of spambots fall into this category) would stick around for almost 5 days time. With a limit of 65k sessions in the nf_conntrack state-table this is obviously a bad thing. So, add the above text to your /etc/sysctl.conf and reload that with sysctl -p /etc/sysctl.conf…