Disabling Conntrack?

Home Page Forums Network Management ZeroShell Disabling Conntrack?

This topic contains 2 replies, has 2 voices, and was last updated by  Stefan Groß 3 weeks, 4 days ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #65162

    Stefan Groß
    Participant

    Hi, I wonder what is the recommended way to disable all conntrack-related modules in the zeroshell kernel. I don’t use any “–state” in iptables and can disable the modules with modprobe during runtime. But how to make this survive reboots?

    __
    s.

    #65174

    shubhu puj
    Participant

    thanx for sharing….

    #65175

    Stefan Groß
    Participant

    Sorry, here’s how to:

    Find all netfilterrules with some “state”-statements:

    root@zeroshell ~> iptables-save. |grep state
    -A SYS_INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    -A SYS_INPUT -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    -A SYS_INPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    -A SYS_INPUT -p tcp -m tcp --sport 8245 -m state --state ESTABLISHED -j ACCEPT
    -A SYS_INPUT -p udp -m udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

    That’s the output on zeroshell 3.9.1 if you haven’t made some on your own. They’re all in the “filter”-Table. *Caution*: the following will break intended and documentet behaviour of zeroshell, so be aware of the consequences by yourself. Removing the rules can simply be done by copypasting them with -D instead of -A into the “Post Boot” script in Settup > Scripts/Cron:

    iptables -t filter -D SYS_INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    ...

    In the same script you can enter the filter-rules you wish instead, if any.

    Then check for all loaded conntrack modules:

    root@zeroshell ~> lsmod |grep conntrack
    xt_conntrack           16384  5 
    nf_conntrack_netlink    32768  0 
    nf_conntrack_tftp      16384  1 nf_nat_tftp
    nf_conntrack_pptp      16384  1 nf_nat_pptp
    nf_conntrack_proto_gre    16384  1 nf_conntrack_pptp
    nf_conntrack_irc       16384  1 nf_nat_irc
    nf_conntrack_sip       28672  1 nf_nat_sip
    nf_conntrack_ftp       16384  1 nf_nat_ftp
    nf_conntrack_h323      49152  1 nf_nat_h323

    The first column is the module-name, the second memory-usage, the third tells how many processes use the module, and the fourth tells the names of other modules using the modules, if any.

    Remove modules by modprobe -r [name], start with modules in reverse dependency-order, and put all these commands in the same script as the iptables-ones.

    I had to remove conntrack for debugging some sip-connection-problems, but turned it on again after it turned out, that conntrack (the sip-alg and conntracks udp-timeouts) was not responsible. I don’t advise to turn it off, please try only in sandboxes and be aware that you’re on your own handling all the effects.

    __
    s.

    • This reply was modified 3 weeks, 4 days ago by  Stefan Groß.
Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.