0

I want to remove the nf_conntrack module from debian. However I don't want to do this until I know how to get it back (if I have to), and currently am not confident about this. The steps another user took to remove the module are listed in this answer (step 4). Specifically:

sudo modprobe -r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state
sudo modprobe -r nf_conntrack

Can I just run the modprobe add commands (in reverse order) to get these back as it was? E.g. (updated based on wurtel's feedback):

sudo modprobe nf_conntrack
sudo modprobe xt_NOTRACK
sudo modprobe xt_state
sudo modprobe nf_conntrack_netbios_ns
sudo modprobe nf_conntrack_ipv4

Or are the other considerations I need to rake into account?

EDIT: Just to clarify I believe I've removed any IPTables rules that use these modules.

Community
  • 1
UpTheCreek
  • 1,598
  • 10
  • 31
  • 45
  • You do realise that the connection tracking is required for [stateful firewall](http://en.wikipedia.org/wiki/Stateful_firewall), which is significantly more efficient on servers that receive any significant amount of traffic and arguably more secure as well? – HBruijn Sep 29 '14 at 17:18
  • @HBruijn - I realise that it's necessary for certain types of rules in iptables (like those using the state keyword), but as I understand it, if these rules are not being used, then it is unnecessary. Is there something non-iptables that uses it in a standard config? – UpTheCreek Sep 29 '14 at 18:48

1 Answers1

2

You can only safely remove these modules if they are not being used in any iptables rules.

Loading them again will happen automatically when needed (i.e. when loading iptables rules) so there's no need to load them manually. That said, you can't supply a list of modules to load to modprobe.

wurtel
  • 3,806
  • 12
  • 15
  • Thanks. I think I've already removed/modified and iptables rules that use these modules. (Updated question now with this and your point about modprobe lists). – UpTheCreek Sep 29 '14 at 14:50
  • Just to follow up. Do you know of a good way to check if the modules have been loaded back? I'm a little concerned that something might load them again without my knowledge – UpTheCreek Sep 29 '14 at 14:51
  • Use `lsmod` to list what modules are loaded. You can add a line `blacklist name_of_module` to a file `/etc/modprobe.d/whatever.conf` to prevent it being loaded. – wurtel Sep 30 '14 at 07:20
  • Hmm, lsmod returns nothing (and I haven't removed anything yet). Perhaps I'm misunderstanding something? – UpTheCreek Sep 30 '14 at 10:23