On Fri, Oct 09, 2009 at 12:22:57PM -0700, Michael Marano wrote: > I tried to dig deep enough to disable the state module and nf_conntrack and > was finally successful. I used the iptables script attached below to get > there. > > I had to modify /etc/sysconfig/iptables-config to remove (comment out) the > following line > > # IPTABLES_MODULES="ip_conntrack_netbios_ns" > > Once that was complete, I could run the following > > sudo modprobe -r xt_NOTRACK nf_conntrack_netbios_ns \ > nf_conntrack_ipv4 xt_state > > sudo modprobe -r nf_conntrack > > Once there, however, my iptables rules seemed to restrictive, and I was > having problems with services outside of those explicitly allowed (like > DNS). Does removing the state rules (for ESTABLISHED, RELATED) mean that I > need to fully open all the unreserved ports?
Yes you're right, that means exactly that. But that was not stated in your first mail :-) Can't you limit your load-balancer to ask a forwarder DNS only ? This would limit exposure a lot ! > Adding the sysctl config changes, and the NOTRACK rules keeps me from > overrunning the nf_conntrack table (even though I don't really need it). > I'm going to stick with this config for now cause it's working well in > production. OK. Thanks for the feedback ! Willy