How to disable automatic unload setting of kernel module when iptables is restarted
Source: Internet
Author: User
In the latest Linux kernel, the iptables module is uninstalled (unload) by default when iptables is restarted, and then loaded and restarted. In this configuration, if iptables is restarted, the connection that is valid for the tcp initiator windowscaleoption will have the following impact: 1. windowsize cannot be correctly identified after the restart; 2, already in the latest Linux kernel, by default,
IptablesWhen restarting,
IptablesThe module is unloaded and then loaded and restarted.
In this configuration, if iptables is restarted, connections that are valid for the tcp initiator window scale option will have the following impact:
1. the window size cannot be correctly identified after restart;
2. the ESTABLISHED tcp session status will cause session interruption from ESTABLISHED → INVALID;
The above problems may not be very serious for applications with retransmission mechanisms. However, if an application does not support retransmission, exceptions may occur when the underlying tcp session is interrupted.
In the application environment, this type of session is too many, and the iptabls configuration is subject to frequent changes due to security issues, it is necessary to determine whether to configure the force iptable module to be disabled by unlevels when it is restarted. The solution is to modify the config file of iptables and modify IPTABLES_MODULES_UNLOAD = "no.
The configuration modification process is described as follows:
1. confirm the configuration
① Confirm the configuration of window scale option
Grep UNLOAD/etc/sysconfig/iptables-config
IPTABLES_MODULES_UNLOAD = "yes"
When the iptables module is restarted, it will be unloaded "no": it will not be modified by unload2.
① System environment
Uname-
Linux test01 2.6.18-164. el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009x86_64 x86_64 x86_64 GNU/Linux
② Modify the configuration to restart iptables
/Etc/init. d/iptables restart
Flushing firewallrules: [OK]
Setting chains to policy ACCEPT: natfilter [OK]
Unloading iptablesmodules: [OK] the listener has been uninstalled.
Applying iptables firewallrules: [OK]
Loading additional iptables modules: ip_conntrack_netbios_n [OK] Reloading
③ Modify configuration
Vim/etc/sysconfig/iptables-config
Modify the following field to restart the kernel module.
IPTABLES_MODULES_UNLOAD = "no"
④ Restart iptables after configuration:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
