I tried to dig deep enough to disable the state module and nf_conntrack and
was finally successful. I used the iptables script attached below to get
there.
I had to modify /etc/sysconfig/iptables-config to remove (comment out) the
following line
# IPTABLES_MODULES="ip_conntrack_netbios_ns"
Once that was complete, I could run the following
sudo modprobe -r xt_NOTRACK nf_conntrack_netbios_ns \
nf_conntrack_ipv4 xt_state
sudo modprobe -r nf_conntrack
Once there, however, my iptables rules seemed to restrictive, and I was
having problems with services outside of those explicitly allowed (like
DNS). Does removing the state rules (for ESTABLISHED, RELATED) mean that I
need to fully open all the unreserved ports?
Adding the sysctl config changes, and the NOTRACK rules keeps me from
overrunning the nf_conntrack table (even though I don't really need it).
I'm going to stick with this config for now cause it's working well in
production.
Thanks,
Michael Marano
This is the iptables script I was using which allowed me to pull out the
modules.
===============================
#!/bin/sh
sudo /sbin/iptables -F
sudo /sbin/iptables -A INPUT -i lo -j ACCEPT
sudo /sbin/iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
sudo /sbin/iptables -A OUTPUT -j ACCEPT
# ssh
sudo /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# nginx
sudo /sbin/iptables -A INPUT -p tcp --dport 81 -j ACCEPT
# haproxy
sudo /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo /sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# open ports for other staging machines
sudo /sbin/iptables -A INPUT -s 10.176.33.1 -j ACCEPT
sudo /sbin/iptables -A INPUT -s 10.176.32.167 -j ACCEPT
sudo /sbin/iptables -A INPUT -s 10.176.42.14 -j ACCEPT
sudo /sbin/iptables -A INPUT -s 10.176.42.32 -j ACCEPT
sudo /sbin/iptables -A INPUT -s 10.176.41.87 -j ACCEPT
sudo /sbin/iptables -A INPUT -s 10.176.34.70 -j ACCEPT
sudo /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
sudo /sbin/iptables -A INPUT -j REJECT
sudo /sbin/iptables -A FORWARD -j REJECT
===============================
> From: Willy Tarreau <[email protected]>
> Date: Thu, 8 Oct 2009 06:59:31 +0200
> To: Michael Marano <[email protected]>
> Cc: <[email protected]>, <[email protected]>, Mark Kramer
> <[email protected]>
> Subject: Re: Kernel tuning recommendations
>
> On Wed, Oct 07, 2009 at 03:02:37PM -0700, Michael Marano wrote:
>> I've made a handful of changes based up on Chris and Willy's suggestions,
>> which I've included below. This avoids the nf_conntrack errors in the logs.
>>
>> I would like to skip nf_conntrack altogether. I've been digging around to
>> try to learn how to do that, but I now admit I don't know how. I can't just
>> drop the module, as it's currently in use.
>>
>> [mmar...@w1 w1]$ sudo modprobe -n -r nf_conntrack
>> FATAL: Module nf_conntrack is in use.
>>
>> What do I need to change in my iptables rules to pave the way for removing
>> this module. Once I've got that straight, how do I then disable the module.
>> I'm happy to get an RTFM response if I'm just being stupid. Point me at the
>> right M ;)
>
> The rules which reference it are here :
>
> sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> sudo /sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j
> ACCEPT
>
> It is the "-m state" which uses ipt_state which in turn uses nf_conntrack.
>
> Be careful though, your rules are a bit strange. If you remove the ones
> above, I don't see how your traffic will pass anymore, as there is no
> accept rule for port 80.
>
> If you don't want to cut your remote access, I'd suggest first adding
> an accept rule then slowly removing the other ones, then the module.
>
> Regards,
> Willy
>
