› Forums › Network Management › ZeroShell › Disabling Conntrack?
- This topic has 2 replies, 2 voices, and was last updated 2 years, 8 months ago by
Stefan Groß.
-
AuthorPosts
-
May 23, 2019 at 7:55 am #65162
Stefan Groß
ParticipantHi, I wonder what is the recommended way to disable all conntrack-related modules in the zeroshell kernel. I don’t use any “–state” in iptables and can disable the modules with modprobe during runtime. But how to make this survive reboots?
__
s.May 31, 2019 at 12:01 pm #65174shubhu puj
Participantthanx for sharing….
May 31, 2019 at 1:17 pm #65175Stefan Groß
ParticipantSorry, here’s how to:
Find all netfilterrules with some “state”-statements:
root@zeroshell ~> iptables-save. |grep state -A SYS_INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A SYS_INPUT -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A SYS_INPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT -A SYS_INPUT -p tcp -m tcp --sport 8245 -m state --state ESTABLISHED -j ACCEPT -A SYS_INPUT -p udp -m udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
That’s the output on zeroshell 3.9.1 if you haven’t made some on your own. They’re all in the “filter”-Table. *Caution*: the following will break intended and documentet behaviour of zeroshell, so be aware of the consequences by yourself. Removing the rules can simply be done by copypasting them with -D instead of -A into the “Post Boot” script in Settup > Scripts/Cron:
iptables -t filter -D SYS_INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT ...
In the same script you can enter the filter-rules you wish instead, if any.
Then check for all loaded conntrack modules:
root@zeroshell ~> lsmod |grep conntrack xt_conntrack 16384 5 nf_conntrack_netlink 32768 0 nf_conntrack_tftp 16384 1 nf_nat_tftp nf_conntrack_pptp 16384 1 nf_nat_pptp nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp nf_conntrack_irc 16384 1 nf_nat_irc nf_conntrack_sip 28672 1 nf_nat_sip nf_conntrack_ftp 16384 1 nf_nat_ftp nf_conntrack_h323 49152 1 nf_nat_h323
The first column is the module-name, the second memory-usage, the third tells how many processes use the module, and the fourth tells the names of other modules using the modules, if any.
Remove modules by
modprobe -r [name]
, start with modules in reverse dependency-order, and put all these commands in the same script as the iptables-ones.I had to remove conntrack for debugging some sip-connection-problems, but turned it on again after it turned out, that conntrack (the sip-alg and conntracks udp-timeouts) was not responsible. I don’t advise to turn it off, please try only in sandboxes and be aware that you’re on your own handling all the effects.
__
s.-
This reply was modified 2 years, 8 months ago by
Stefan Groß.
-
This reply was modified 2 years, 8 months ago by
-
AuthorPosts
- You must be logged in to reply to this topic.