2009 October 14

nf_conntrack: CT 0: table full, dropping packet

echo 200000 > /proc/sys/net/netfilter/nf_conntrack_max

or net.netfilter.nf_conntrack_max = 200000 in /etc/sysctl.conf

http://forum.openvz.org/index.php?t=msg&goto=36218&

By WladyX on 14 October, 2009 | General, Kernel, Ubuntu | A comment?

Dante socks server

# edit the config file (/etc/socks/sockd.conf). Open that file in your favorite editor

It is in this file logging is enabled via the syslog mechanism and internal and external addresses are bound. Whereas the internal bindings include a port specification, the external one does not.

The comments are well formed I’d also spend a little time looking them over.

The details:

logoutput: syslog
internal: eth1 port = 1080
internal: 127.0.0.1 port = 1080
external: 1.2.3.4

# or

external: eth0

To achieve full access (no username/password).

method: username none
# Not using authentication, so unnecessary
#user.privileged: proxy
user.notprivileged: nobody

The access controls for sockd daemon are last. They are checked against in the order they appear in the configuration file. Notice, don’t open your proxy server to the wild world – you’ve been warned.

The first three directives control which IP ranges that have accesss to the server.
- The from: is were the details of the IPs are added. In my cause it is the IP space the clients live in.
- The to: option is one of the IPs the proxy server is bound to that the given IP range can speak to. It is set to the addresses Dante/sockd is listening on.
The last of the three drops any requests that don’t match either of the first two directives.

client pass {
from: 192.168.0.0/16 port 1-65535 to: 0.0.0.0/0
}

client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

The next four configuration points control who ‘routing’.
- Requests from anywhere to the loopback addresses are dropped.
- From the loopback addresses and 192.168.0.0/16 are allowed to communicated over tcp or udp protocols.
- Finally, drop everything else.

block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}

pass {
from: 192.168.0.0/16 to: 0.0.0.0/0
protocol: tcp udp
}

pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}

block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

# Start Dante/sockd.

sockd -V // this verifies configuration and exits
sockd -d // this enables debugging to the console.
That will start Dante in debugging mode.

http://linuxlore.blogspot.com/2006/10/gentoo-linux-howto-configure-socks.html

By WladyX on | General | A comment?