kernel: Out of socket memory
kernel: __ratelimit: 1 callbacks suppressed
kernel: possible SYN flooding on port 5222. Sending cookies.
kernel: TCP: time wait bucket table overflow
kernel: nf_conntrack: table full, dropping packet.
1.不使用 nf_conntrack 模块
首先要移除 state 模块,因为使用该模块需要加载 nf_conntrack。确保 iptables 规则中没有出现类似 state 模块的规则,如果有的话将其移除:-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT注释 /etc/sysconfig/iptables-config 中的:代码如下:
IPTABLES_MODULES="ip_conntrack_netbios_ns"
2、使用 raw 表,不跟踪连接
iptables 中的 raw 表跟包的跟踪有关,基本就是用来干一件事,通过 NOTRACK 给不需要被连接跟踪的包打标记,也就是说,如果一个连接遇到了 -j NOTRACK,conntrack 就不会跟踪该连接,raw 的优先级大于 mangle, nat, filter,包含 PREROUTING 和 OUTPUT 链。当执行 -t raw 时,系统会自动加载 iptable_raw 模块(需要该模块存在)。raw 在 2.4 以及 2.6 早期的内核中不存在,除非打了 patch,目前的系统应该都有支持:$ sudo iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT$ sudo iptables -t raw -A PREROUTING -p tcp -m multiport --dport 80,81,82 -j NOTRACK$ sudo iptables -t raw -A OUTPUT -p tcp -m multiport --sport 80,81,82 -j NOTRACKMay 29 23:48:09 localhost kernel: CPU3: Core power limit notification (total events = 5871)May 29 23:48:09 localhost kernel: CPU5: Core power limit notification (total events = 5871)May 29 23:48:09 localhost kernel: CPU7: Core power limit notification (total events = 5871)May 29 23:48:09 localhost kernel: CPU3: Package power limit notification (total events = 5870)May 29 23:48:09 localhost kernel: CPU5: Package power limit notification (total events = 5871)May 29 23:48:09 localhost kernel: CPU7: Package power limit notification (total events = 5869)May 29 23:48:09 localhost kernel: CPU1: Package power limit notification (total events = 5870)May 29 23:48:09 localhost kernel: CPU7: Core power limit normalMay 29 23:48:09 localhost kernel: CPU7: Package power limit normal