When i have the problem with "nf_conntrack: table full, dropping packet"
the problem was solved after i read this article from:
nf_conntrack: table full, dropping packet.
If you see this message "nf_conntrack: table full, dropping packet" in your syslog on a Linux box, it's likely that it's having comms problems. I saw this recently on a DNS server that looked like it was being attacked. The problem is that when this happens, normal DNS resolution is interrupted.
I haven't found a decent solution yet, but it seems that if the system has lots of RAM then you can increase the nf_conntrack_max kernel parameter (my system is running iptables, which I assume the "netfilter" module has something to do with).
On a 2.6 kernel, you can go to /proc/sys/net/netfilter and check some of the values. For instance, nf_conntrack_count shows you the current value while nf_conntrack_max is the maximum value that is set.
You can just cat these values or use sysctl to view them:
# sysctl net.netfilter.nf_conntrack_max
net.netfilter.nf_conntrack_max = 65536
# sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 45033
To change the value, use the -w switch (in this example I've doubled the value):
# sysctl -w net.netfilter.nf_conntrack_max=131072
I think that in order to make this permanent across reboots, you'll need to add this line to the bottom of /etc/sysctl.conf:
TCP Tuning Guide: