Recently I'm having lots of problems on our small server, probably related to DDoS attacks. The logs fill with messages like
And the server crashes hard (kernel panic, hard reset required). The admins of our network are helpless (it's an understaffed research intsitution with no professional IT personnel), they know there are some infected PCs on the network, but are unable to deal with the problem.
I do not use conntrack functionality in any of the containers, and I want to disable this module completely. I can't, however remove the nf_conntrack modules, as they are shown to be used by other modules, including vzrst.
I do not have conntrack specified in vz.conf
and I did not configure iptables on the proxmox server (only installed fail2ban).
I tried to disable tracking by doing
this helped a bit (the server stayed up a few days longer), but the problem returned.
How do I get rid of conntrack for good to keep my server running?
BTW, this is on pve-manager/3.1-21/93bf03d4 (running kernel: 2.6.32-26-pve)
Code:
Mar 3 15:26:58 mothership kernel: nf_conntrack: table full, dropping packet.
Mar 3 15:26:58 mothership kernel: nf_conntrack: table full, dropping packet.
Mar 3 15:26:58 mothership kernel: nf_conntrack: table full, dropping packet.
Mar 3 15:26:58 mothership kernel: nf_conntrack: table full, dropping packet.
Mar 3 15:26:58 mothership kernel: nf_conntrack: table full, dropping packet.
Mar 3 15:27:03 mothership kernel: __ratelimit: 14222 callbacks suppressed
Mar 3 15:27:03 mothership kernel: nf_conntrack: table full, dropping packet.I do not use conntrack functionality in any of the containers, and I want to disable this module completely. I can't, however remove the nf_conntrack modules, as they are shown to be used by other modules, including vzrst.
Code:
lsmod|grep conntrack
nf_conntrack_ipv4 9978 2 nf_nat
nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
nf_conntrack 79944 6 xt_state,nf_conntrack_ipv4,vzcpt,nf_nat,vzrst,xt_NOTRACKCode:
~# cat /etc/vz/vz.conf|grep IPTABLES
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"I tried to disable tracking by doing
Code:
iptables -t raw -A PREROUTING -j NOTRACK
iptables -t raw -A OUTPUT -j NOTRACKHow do I get rid of conntrack for good to keep my server running?
BTW, this is on pve-manager/3.1-21/93bf03d4 (running kernel: 2.6.32-26-pve)