/sys/module/nf_conntrack/parameters/hashsize# /sbin/sysctl -w net/netfilter/nf_conntrack_max=2000000Remember to set your own limits and calculate the memory usage. In this example, 2 million entries times 288 bytes = max 576.0 MB of potential memory usage. For the hash, each hash list "head" is only 8 bytes times 1 million is only 8 MB of fixed allocated memory (mind your CPU's L3 cache-size when choosing the hash size).Considerations when using SYNPROXYEnabling SYNPROXY does comes at a cost. The connection establishment phase is going to be slower due to the extra connection setup needed towards the end-host. When the end-host is localhost, then this extra step is obviously very fast but nonetheless adds latency.The parameters to the SYNPROXY target module must match TCP options and settings supported by the end-host that the TCP connections are being proxied for. Detecting and setting this up is manually done per rule setting. (A helper tool "nfsynproxy" is part of iptables release 1.4.21). This unfortunately means the module cannot be easily deployed in DHCP-based firewall environments.In the future, the plan is to auto detect end-host TCP options. This is being tracked in Red Hat BZ 1059679, and is waiting for customers requesting this feature (...does anybody get this hint?).For more information, please check out my DevConf.cz 2014 talk on "DDoS protection using Netfilter/iptables" or, alternatively, you can watch the video or access my slides." />