How to disable conntrack on Linux

I will give an example of disabling the conntrack module, for example, I will take the Ubuntu operating system.

Let’s see what conntrack modules are loaded:

lsmod |grep conntrack

Module unloading example:

rmmod nf_conntrack

For example, if an error occurs:

rmmod: ERROR: Module nf_conntrack is in use by: xt_conntrack nf_conntrack_ipv4 nf_nat nf_nat_ipv4

It is most likely that rules have been added to the firewall to track the status of connections, they need to be removed, I will give an example (do not forget to save the rules so that when the operating system starts up, they are not added again and do not provoke conntrack loading):

iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

It may also be specified in other rules:

iptables -D INPUT -s 192.168.5.5/32 -p tcp -m tcp --dport 10050 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.5.5/32 -p tcp --dport 10050 -j ACCEPT

After that, you can unload all modules related to conntrack:

rmmod iptable_nat
rmmod nf_nat_ipv4
rmmod nf_nat
rmmod xt_conntrack
rmmod nf_conntrack_ipv4
modprobe -r nf_conntrack

Disable nf_conntrack_helper so that it does not start when the operating system starts:

echo 0 > /sys/module/nf_conntrack/parameters/nf_conntrack_helper
nano /etc/modprobe.d/no_conntrack_helper.conf
options nf_conntrack nf_conntrack_helper=0
nano /etc/sysctl.conf
net.netfilter.nf_conntrack_helper = 0

Let’s check:

sysctl net.netfilter.nf_conntrack_helper

If it is necessary not to track connections of only specific ports, then you can add rules to the firewall, for example, for tcp port 80:

iptables -t raw -I PREROUTING -p tcp --dport 80 -j NOTRACK
iptables -t raw -I PREROUTING -p tcp  --sport 80 -j NOTRACK
iptables -t raw -I OUTPUT -p tcp --dport 80 -j NOTRACK
iptables -t raw -I OUTPUT -p tcp --sport 80 -j NOTRACK

See also my article:
Tuning nf_conntrack

Leave a comment

Leave a Reply