Disabling Conntrack?

Forums Network Management ZeroShell Disabling Conntrack?

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #65162
    Stefan Groß

    Hi, I wonder what is the recommended way to disable all conntrack-related modules in the zeroshell kernel. I don’t use any “–state” in iptables and can disable the modules with modprobe during runtime. But how to make this survive reboots?


    shubhu puj

    thanx for sharing….

    Stefan Groß

    Sorry, here’s how to:

    Find all netfilterrules with some “state”-statements:

    root@zeroshell ~> iptables-save. |grep state
    -A SYS_INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    -A SYS_INPUT -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    -A SYS_INPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    -A SYS_INPUT -p tcp -m tcp --sport 8245 -m state --state ESTABLISHED -j ACCEPT
    -A SYS_INPUT -p udp -m udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

    That’s the output on zeroshell 3.9.1 if you haven’t made some on your own. They’re all in the “filter”-Table. *Caution*: the following will break intended and documentet behaviour of zeroshell, so be aware of the consequences by yourself. Removing the rules can simply be done by copypasting them with -D instead of -A into the “Post Boot” script in Settup > Scripts/Cron:

    iptables -t filter -D SYS_INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

    In the same script you can enter the filter-rules you wish instead, if any.

    Then check for all loaded conntrack modules:

    root@zeroshell ~> lsmod |grep conntrack
    xt_conntrack           16384  5 
    nf_conntrack_netlink    32768  0 
    nf_conntrack_tftp      16384  1 nf_nat_tftp
    nf_conntrack_pptp      16384  1 nf_nat_pptp
    nf_conntrack_proto_gre    16384  1 nf_conntrack_pptp
    nf_conntrack_irc       16384  1 nf_nat_irc
    nf_conntrack_sip       28672  1 nf_nat_sip
    nf_conntrack_ftp       16384  1 nf_nat_ftp
    nf_conntrack_h323      49152  1 nf_nat_h323

    The first column is the module-name, the second memory-usage, the third tells how many processes use the module, and the fourth tells the names of other modules using the modules, if any.

    Remove modules by modprobe -r [name], start with modules in reverse dependency-order, and put all these commands in the same script as the iptables-ones.

    I had to remove conntrack for debugging some sip-connection-problems, but turned it on again after it turned out, that conntrack (the sip-alg and conntracks udp-timeouts) was not responsible. I don’t advise to turn it off, please try only in sandboxes and be aware that you’re on your own handling all the effects.


    • This reply was modified 2 years, 8 months ago by Stefan Groß.
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.