I will give an example of disabling the conntrack module, for example, I will take the Ubuntu operating system.
Let’s see what conntrack modules are loaded:
lsmod |grep conntrack
Module unloading example:
rmmod nf_conntrack
For example, if an error occurs:
rmmod: ERROR: Module nf_conntrack is in use by: xt_conntrack nf_conntrack_ipv4 nf_nat nf_nat_ipv4
It is most likely that rules have been added to the firewall to track the status of connections, they need to be removed, I will give an example (do not forget to save the rules so that when the operating system starts up, they are not added again and do not provoke conntrack loading):
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
It may also be specified in other rules:
iptables -D INPUT -s 192.168.5.5/32 -p tcp -m tcp --dport 10050 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.5.5/32 -p tcp --dport 10050 -j ACCEPT
After that, you can unload all modules related to conntrack:
rmmod iptable_nat
rmmod nf_nat_ipv4
rmmod nf_nat
rmmod xt_conntrack
rmmod nf_conntrack_ipv4
modprobe -r nf_conntrack
Disable nf_conntrack_helper so that it does not start when the operating system starts:
echo 0 > /sys/module/nf_conntrack/parameters/nf_conntrack_helper
nano /etc/modprobe.d/no_conntrack_helper.conf
options nf_conntrack nf_conntrack_helper=0
nano /etc/sysctl.conf
net.netfilter.nf_conntrack_helper = 0
Let’s check:
sysctl net.netfilter.nf_conntrack_helper
If it is necessary not to track connections of only specific ports, then you can add rules to the firewall, for example, for tcp port 80:
iptables -t raw -I PREROUTING -p tcp --dport 80 -j NOTRACK
iptables -t raw -I PREROUTING -p tcp --sport 80 -j NOTRACK
iptables -t raw -I OUTPUT -p tcp --dport 80 -j NOTRACK
iptables -t raw -I OUTPUT -p tcp --sport 80 -j NOTRACK
See also my article:
Tuning nf_conntrack