How to Properly Load iptables Modules (ip_conntrack, ip_conntrack_ftp) in CentOS 6: Best Practices


7 views

When working with iptables on CentOS 6, properly loading modules like ip_conntrack and ip_conntrack_ftp is critical for firewall functionality. Here's a technical deep dive into the correct approaches.

There are several places where you can configure module loading:

1. /etc/init.d/iptables - via IPTABLES_MODULES variable
2. /etc/modprobe.conf - legacy configuration
3. /etc/modprobe.d/ - modern configuration directory

The most maintainable method is using separate files in /etc/modprobe.d/:

# Create a dedicated configuration file
sudo touch /etc/modprobe.d/iptables_modules.conf

# Add required modules
echo "install ip_conntrack /sbin/modprobe --ignore-install ip_conntrack" | sudo tee -a /etc/modprobe.d/iptables_modules.conf
echo "install ip_conntrack_ftp /sbin/modprobe --ignore-install ip_conntrack_ftp" | sudo tee -a /etc/modprobe.d/iptables_modules.conf

You can modify /etc/sysconfig/iptables-config:

# Edit the configuration file
IPTABLES_MODULES="ip_conntrack ip_conntrack_ftp"

Note: This method is less flexible than modprobe.d configuration.

After configuration, verify the modules are loaded:

# Check loaded modules
lsmod | grep conntrack

# Manual loading if needed
sudo modprobe ip_conntrack
sudo modprobe ip_conntrack_ftp

To ensure modules load at boot:

# Add to rc.local (not recommended as primary method)
echo "modprobe ip_conntrack" | sudo tee -a /etc/rc.local
echo "modprobe ip_conntrack_ftp" | sudo tee -a /etc/rc.local

Common issues and solutions:

# If modules fail to load
dmesg | grep conntrack

# Check module dependencies
modinfo ip_conntrack
modinfo ip_conntrack_ftp

When working with iptables on CentOS 6, certain connection tracking modules like ip_conntrack and ip_conntrack_ftp need to be properly loaded before the firewall service starts. These modules enable stateful packet inspection and protocol-specific connection tracking.

Here are the technically correct approaches to load these modules:

Method 1: Using /etc/sysconfig/iptables-config

The most maintainable solution is to edit /etc/sysconfig/iptables-config:

IPTABLES_MODULES="ip_conntrack ip_conntrack_ftp"

This ensures modules load before iptables service starts during boot.

Method 2: Through modprobe configuration

Create or modify a file in /etc/modprobe.d/:

echo "options ip_conntrack hashsize=65536" > /etc/modprobe.d/iptables.conf
echo "install ip_conntrack /sbin/modprobe --ignore-install ip_conntrack && /sbin/modprobe ip_conntrack_ftp" >> /etc/modprobe.d/iptables.conf

Method 3: Manual loading (temporary)

For testing purposes, you can load modules manually:

modprobe ip_conntrack
modprobe ip_conntrack_ftp

After configuration, verify the modules are loaded:

lsmod | grep conntrack

Expected output should show both modules:

ip_conntrack_ftp       12595  0 
ip_conntrack           79462  1 ip_conntrack_ftp

If modules aren't loading at boot, check:

dmesg | grep conntrack
systemctl status iptables -l
  • Module dependencies must be resolved (e.g., nf_conntrack may need loading first)
  • Large systems may need to adjust hashsize parameter for connection tracking
  • Changes require iptables service restart: service iptables restart