I setup a linux box to do the DNAT and the SNAT.
ipnat rule is
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8888 -j DNAT
--to-destination 202.9.123.123:8888
-A POSTROUTING -o eth0 -p tcp -j SNAT --to-source 202.10.6.4
it works well, but I found the connection count can't go more then
16383, even
the machine has lots of RAM free and idle cpu. And this is the setting.
kernel.pid_max=65536
net.ipv4.tcp_max_syn_backlog=4096
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_tw_reuse=1
net.core.rmem_max=16777216
net.core.wmem_max=1048576
net.core.wmem_default=1048576
net.ipv4.ip_conntrack_max = 10458520
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_w ait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_a ck = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_ wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wa it = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_establ ished = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_re cv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_se nt = 120
net.ipv4.netfilter.ip_conntrack_buckets = 1307315
net.ipv4.netfilter.ip_conntrack_max = 10458520
can anybody help me, how to tune the netfiler to support over 16383
connection without using another machine. Thank you.
|
Similar Threads
Linear Mode
