Ubuntu: Disable nf_conntrack



Question:

How would I go about disabling the nf_conntrack module in Ubuntu 12.04? I am trying to run an HAProxy on an Ubuntu server, and nf_conntrack is giving me problems when it is running. I haven't been able to find any documentation on disabling it.

Thank you


Solution:1

nf_conntrack is built into the kernel... You cant disable it:

# lsmod | grep con

nf_conntrack_ipv4      14487  2   nf_defrag_ipv4         12729  1 nf_conntrack_ipv4  nf_conntrack           83275  6 ipt_MASQUERADE,nf_nat,xt_state,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4  

nf_conntrack is the kernel's modules for handling network communication:

# rmmod nf_conntrack

Error: Module nf_conntrack is in use by: ipt_MASQUERADE nf_nat xt_state nf_nat_ipv4 iptable_nat nf_conntrack_ipv4  

If you need it disabled you can try and disable all the modules that depend on it; but you may find that's not possible. I, for one like a networked system so I'm not even going to try it ;)


Solution:2

1) remove any reference to the state module in iptables. So, no rules like

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT    the state module requires the nf_conntrack (ip_conntrack) module  

2) remove the following line (if it exists) in /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_netbios_ns"    That module requires ip_conntrack which we are trying to ditch.  

3) reload iptables without your state rules.

sudo iptables -F    # add your real rules  

4) drop the modules. I had to use:

sudo modprobe -r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state    sudo modprobe -r nf_conntrack    confirm you don't have a reference to /proc/net/nf_conntrack  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »