how do I disable the nf_conntrack kernel module in CentOS 5.3 without recompiling the kernel
Solution 1:
-
remove any reference to the state module in iptables. So, no rules like
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
the state module requires the nf_conntrack (ip_conntrack) module
-
remove the following line (if it exists) in /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns"
That module requires ip_conntrack which we are trying to ditch.
-
reload iptables without your state rules.
sudo iptables -F
# add your real rules
-
drop the modules. I had to use:
sudo modprobe -r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state
sudo modprobe -r nf_conntrack
confirm you don't have a reference to /proc/net/nf_conntrack
Solution 2:
What about adding the module to
/etc/modprobe.d/blacklist.conf?-
Have you tried:
rmmod -f modulenameAlthough:
-f --force This option can be extremely dangerous: it has no effect unless CONFIG_MODULE_FORCE_UNLOAD was set when the kernel was compiled. With this option, you can remove modules which are being used, or which are not designed to be removed, or have been marked as unsafe (see lsmod(8)).
Solution 3:
If you are running Haproxy, you need two types of rules in iptables to disable conntrack in the port 80: ones for the connections from the clients to your balancer and others from your balancer to the backends.
Here is a valid example:
iptables -t raw -I PREROUTING -p tcp --dport 80 -j NOTRACK
iptables -t raw -I PREROUTING -p tcp --sport 80 -j NOTRACK
iptables -t raw -I OUTPUT -p tcp --dport 80 -j NOTRACK
iptables -t raw -I OUTPUT -p tcp --sport 80 -j NOTRACK