23Nov/110
Why not to use -m match and –state with iptables
Something I learned recently:
The iptables tool is wonderful, especially if you're suddenly getting a lot of traffic that you don't want. Recently, I've been seeing a message in the logs, warning "ip_conntrack: table full, dropping packet."
"WTF? How can the connection tracking table be full? I'm not using connection tracking..."
It turns out that rules that use the "match" plugin and check a connection's state start tracking that connection, just in case you ever want to match against ESTABLISHED or RELATED states. Let me explain with an example.