On Tue, Nov 09, 2010 at 09:51:28AM -0500, Ariel wrote: > I've seen a few times on this list people recommending to completely from the > conntrack functionality of iptables. I only use iptables to block all ports > except for 80/443 and 22 only to specific locations, so I believe I am not > doing any connection tracking, and I don't see why I would need to on a > reverse-proxy whos only purpose is to push through as many connections as > possible.
Exactly ! > So it's generally safe just to completely disable this module? Yes. You should simply filter on the destination port then. However, keep in mind that without conntrack, you want to have very few rules. > Is there a way with sysctl to remove it completely or do I have to rmmod it? There's no sysctl, you can rmmod it, as well as you can blacklist it in your modprobe.conf. You should ensure that none of your rules makes any reference to it (eg: no -m state rule). > Also, are they any cases where it might be advantageous to use conntrack in > your iptables for an haproxy server? If you need NAT, or if you have to implement many rules and only want to apply them on SYN packets, then you need conntrack. But in general, conntrack is used to bring the stateful mechanism that a proxy already provides, which is why they're rarely needed side by side. Regards, Willy
