https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784855#M44321 I checked the following<BR /><BR />/etc/init.d/iptables status<BR />Firewall is stopped.<BR /><BR />Thanks<BR /><BR />Joe. Fri, 06 May 2011 13:07:08 GMT joe_91 2011-05-06T13:07:08Z https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784854#M44320 We have on a RHEL4/RHEL5 servers ip_conntrack module loaded and causing some network resources issues. My question is how could ip_conntrack module be loaded when we have disabled iptables? Could it be automatically loaded by any application? if so how could you look?<BR /><BR /><BR />Thanks<BR /><BR />Joe.<BR /> Fri, 06 May 2011 00:24:21 GMT https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784854#M44320 joe_91 2011-05-06T00:24:21Z https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784855#M44321 I checked the following<BR /><BR />/etc/init.d/iptables status<BR />Firewall is stopped.<BR /><BR />Thanks<BR /><BR />Joe. Fri, 06 May 2011 13:07:08 GMT https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784855#M44321 joe_91 2011-05-06T13:07:08Z https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784856#M44322 RHEL's /etc/init.d/iptables is just one way to configure iptables firewalls - there might be a custom script or even a complete firewall management application that has applied a set of firewall settings completely separately from /etc/init.d/iptables.<BR /><BR />The conntrack module may have been loaded automatically when required by some iptables rule that has been removed since then: it won't auto-unload when it's no longer needed.<BR /><BR />What is the output of following commands:<BR /><BR />lsmod | grep conntrack<BR />iptables -L -vn<BR />iptables -L -vnt nat<BR />iptables -L -vnt mangle<BR /><BR />If the "Used by" value of the conntrack module is 0 in the lsmod listing, the module is currently unused and can safely be rmmod'd.<BR /><BR />MK Fri, 06 May 2011 17:16:33 GMT https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784856#M44322 Matti_Kurkela 2011-05-06T17:16:33Z https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784857#M44323 Here are the ouputs..<BR /><BR /><BR />/etc/init.d/iptables status<BR />Firewall is stopped.<BR /><BR /><BR />lsmod|grep conn<BR />ip_conntrack 54297 1 iptable_nat<BR /><BR />(so there is one connection)<BR /><BR />When i did /etc/init.d/iptables stop and then did a lsmod|grep ip_conn the conntrack was gone. Does it mean there was some old connection sitting there? Also when i did cat /proc/net/ip_conntrack there was time_wait in those connections, so is it safe to assume that may some old connections or leftovers from from some rules?? Since there was one connection from lsmod output how do we find out what that is??<BR /><BR />Thanks<BR /><BR />Joe.<BR /><BR /> Fri, 06 May 2011 20:11:37 GMT https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784857#M44323 joe_91 2011-05-06T20:11:37Z https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784858#M44324 Here are the other outputs<BR /><BR />#iptables -L -vn<BR />Chain INPUT (policy ACCEPT 508 packets, 44674 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR /><BR />Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR /><BR />Chain OUTPUT (policy ACCEPT 432 packets, 38412 bytes)<BR /> pkts bytes target prot opt in out source destination<BR /># iptables -L -vnt nat<BR />Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR /><BR />Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR /><BR />Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR /># iptables -L -vnt mangle<BR />Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR /><BR />Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR /><BR />Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR /><BR />Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR /><BR />Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<BR /> pkts bytes target prot opt in out source destination <BR /> <BR />Thanks<BR /><BR />Joe Fri, 06 May 2011 20:18:31 GMT https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784858#M44324 joe_91 2011-05-06T20:18:31Z https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784859#M44325 &gt; lsmod|grep conn<BR />&gt; ip_conntrack 54297 1 iptable_nat<BR /><BR />&gt; (so there is one connection)<BR /><BR />Not necessarily one connection, but one other module (specifically iptable_nat) using the services of the ip_conntrack module. <BR /><BR />/proc/net/ip_conntrack is *exactly* the right place to look: it lists the connections currently handled by the ip_conntrack module. <BR /><BR />Perhaps there was one or more existing NATted connections, or old NATted connections waiting for their TIME_WAIT timers to expire when you originally disabled iptables, so the module could not be removed at that time.<BR /><BR />Later, when you ran "/etc/init.d/iptables stop" again, those connections apparently had all reached a closed state, and both the iptable_nat and ip_conntrack modules could allow themselves to be removed without any risk of network traffic disruption.<BR /><BR />MK Sat, 07 May 2011 06:45:00 GMT https://community.hpe.com/t5/operating-system-linux/iptable-question/m-p/4784859#M44325 Matti_Kurkela 2011-05-07T06:45:00Z