I'm running CentOS 5.3 and want to disable the nf_conntrack module to improve network performance for haproxy. I'm running iptables with some simple rules. I don't really need the connection tracking.
I'm running on Rackspace cloud servers, so I can't run a custom kernel. I've tried running modprobe, but that doesn't work.
[mmarano@w1 w1]$ sudo modprobe -n -r nf_conntrack
FATAL: Module nf_conntrack is in use.
[mmarano@w1 w1]$ uname -a
Linux w1.somewhere.com 2.6.24-23-xen #1 SMP Mon Jan 26 03:09:12 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
[mmarano@w1 w1]$ cat /etc/redhat-release
CentOS release 5.3 (Final)
I want to continue to run iptables after ripping this out, so I can't quite ditch all of netfilters. Anyone have any thoughts?
Best Answer
remove any reference to the state module in iptables. So, no rules like
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
the state module requires the nf_conntrack (ip_conntrack) module
remove the following line (if it exists) in /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns"
That module requires ip_conntrack which we are trying to ditch.
reload iptables without your state rules.
sudo iptables -F
# add your real rules
drop the modules. I had to use:
sudo modprobe -r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state
sudo modprobe -r nf_conntrack
confirm you don't have a reference to /proc/net/nf_conntrack