Full Nat on Linux with many connections
If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, ...).
You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!
To increase this limit to e.g. 8192, type:
echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
To optimize performance, please also raise the number of hash buckets by using the
hashsizemodule loadtime parameter of the
ip_conntrack.omodule. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.
Example (with 1023 buckets):
modprobe ip_conntrack hashsize=1023
Note: the conntrack table gets congested by connections between other computers when the lan interface is in promiscuous mode (e.g. in a bridged configuration). Apply a filter.