Workaround against "nf_conntrack … dropping packets error" and "Denial of Service" attacks from internal network

files/sn_startup.exit.sh.j2

@@ -1,4 +1,5 @@
 #!/bin/sh
+# Version 1.7
 
 curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
 
@@ -53,6 +54,16 @@ done
 
 sleep 5
 
+# Fixing the nf_conntrack … dropping packets error
+# hashsize = nf_conntrack_max / 4
+sysctl -w net.netfilter.nf_conntrack_max=131072
+echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
+
+# Against Denial of Service attacks from internal network
+# Check with: sysctl -a | grep conntrack | grep timeout
+sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
+sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
+
 # restart bird
 /bin/systemctl start bird
 /bin/systemctl start bird6

files/sn_startup.sh.j2

@@ -1,4 +1,5 @@
 #!/bin/sh
+# Version 1.7
 
 curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
 
@@ -48,6 +49,16 @@ done
 
 sleep 5
 
+# Fixing the nf_conntrack … dropping packets error
+# hashsize = nf_conntrack_max / 4
+sysctl -w net.netfilter.nf_conntrack_max=131072
+echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
+
+# Against Denial of Service attacks from internal network
+# Check with: sysctl -a | grep conntrack | grep timeout
+sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
+sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
+
 # Start tunneldigger
 /bin/systemctl restart tunneldigger
 /bin/systemctl enable tunneldigger