Hi All,

I have a loadbalancer with keepalived, which handles a lot of connections. That is why I use a stateless firewall (no connection tracking).

Everything goes well, but by accident I gave the command 'iptables -L -t nat'. Now the modules nf_nat, iptable_nat, nf_conntrack and nf_conntrack_ipv4 were loaded. I didn't see this, so the loadbalancer suffered high load and nodes were removed from the loadbalancer.

A google session came up with /etc/modprobe.d/blacklist.conf, which only prevents modules to be loaded at boot time. Also blacklisting the module in /etc/modprobe.d/nf_nat.conf, only prevents the module to be loaded during boottime.

This is not what I seek. I seek a solution which prevents a module to be loaded at all. Even if a command like 'iptables -L -t nat' is given.

Does anyone know a solution?

---
Enrico

Have you tried something like

install <problem-module> /bin/true (= instead of installing x, do this).

In /etc/modprobe.d somewhere? That should exit quietly when the install is called for and certainly not install the thing.

This worked! Thanks!

I've created the file /etc/modprobe.d/connectiontracking.conf with the following content:

install nf_conntrack /bin/true
install nf_conntrack_ipv4 /bin/true
install nf_nat /bin/true
install iptable_nat /bin/true

iptables -L -t nat

iptables v1.4.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I doubt if insmod will do it, or modprobe. You can't have them until you change modprobe.d/whatever