1 | 3 | czfcentos | #!/bin/bash |
2 | | | # Kontrola poctu spojeni a pripadne zvetseni limitu |
3 | | | # |
4 | | | |
5 | | | #now we 3times try clean all unused iptables modules |
6 | | | /sbin/rmmod ip_nat iptable_nat ip_conntrack ip_tables iptable_filter ipt_REJECT 2&> /dev/null |
7 | | | /sbin/rmmod ip_nat iptable_nat ip_conntrack ip_tables iptable_filter ipt_REJECT 2&> /dev/null |
8 | | | /sbin/rmmod ip_nat iptable_nat ip_conntrack ip_tables iptable_filter ipt_REJECT 2&> /dev/null |
9 | | | |
10 | | | #test for conntrack and if no one is find then we exit the script |
11 | | | if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established ] |
12 | | | then |
13 | | | if [ "$1 x" = "-status x" ] |
14 | | | then |
15 | | | echo "No NAT detected" |
16 | | | fi |
17 | | | exit 0 |
18 | | | fi |
19 | | | |
20 | | | #when this place was reached then we are usin conntrack table |
21 | | | #filling all constants to get optimal timeouts |
22 | | | #the most important is ip_conntrack_tcp_timeout_established |
23 | | | echo 50 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout |
24 | | | echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close |
25 | | | echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait |
26 | | | echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait |
27 | | | echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait |
28 | | | echo 10 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout |
29 | | | echo 21600 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established |
30 | | | |
31 | | | #now we check the size of conntrack table and if it is too tight to the |
32 | | | #limit then we increase this limit |
33 | | | ipc=`cat /proc/sys/net/ipv4/ip_conntrack_max` |
34 | | | ipc=`expr $ipc - 4000`; |
35 | | | |
36 | | | if [ `cat /proc/net/ip_conntrack | wc -l` -gt $ipc ] |
37 | | | then |
38 | | | if [ $ipc -lt 56000 ] |
39 | | | then |
40 | | | date | tr '\n' ' ' >> /var/log/checknat.log |
41 | | | echo "Increasing conntrack table size to $ipc + 8000" >> /var/log/checknat.log |
42 | | | ipc=`expr $ipc + 8000`; |
43 | | | echo "Increasing conntrack table size to $ipc" >> /var/log/checknat.log |
44 | | | echo $ipc > /proc/sys/net/ipv4/ip_conntrack_max |
45 | | | else |
46 | | | date | tr '\n' ' ' >> /var/log/checknat.log |
47 | | | echo "Conntrack table upper limit reached" >> /var/log/checknat.log |
48 | | | fi |
49 | | | fi |
50 | | | |
51 | | | if [ "$1 x" = "-status x" ] |
52 | | | then |
53 | | | echo "Conntrack TBL = "`cat /proc/net/ip_conntrack | wc -l` |
54 | | | echo "Conntrack MAX = "`cat /proc/sys/net/ipv4/ip_conntrack_max` |
55 | | | tail /var/log/checknat.log |
56 | | | fi |
57 | | | |