On Wed, Oct 07, 2009 at 03:02:37PM -0700, Michael Marano wrote: > I've made a handful of changes based up on Chris and Willy's suggestions, > which I've included below. This avoids the nf_conntrack errors in the logs. > > I would like to skip nf_conntrack altogether. I've been digging around to > try to learn how to do that, but I now admit I don't know how. I can't just > drop the module, as it's currently in use. > > [mmar...@w1 w1]$ sudo modprobe -n -r nf_conntrack > FATAL: Module nf_conntrack is in use. > > What do I need to change in my iptables rules to pave the way for removing > this module. Once I've got that straight, how do I then disable the module. > I'm happy to get an RTFM response if I'm just being stupid. Point me at the > right M ;)
The rules which reference it are here : sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT It is the "-m state" which uses ipt_state which in turn uses nf_conntrack. Be careful though, your rules are a bit strange. If you remove the ones above, I don't see how your traffic will pass anymore, as there is no accept rule for port 80. If you don't want to cut your remote access, I'd suggest first adding an accept rule then slowly removing the other ones, then the module. Regards, Willy
