[cc land='bash']
\$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536
\$ sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 65536

\$ rmmod iptable_nat
\$ rmmod ipt_MASQUERADE
\$ rmmod nf_nat
\$ rmmod ipt_REDIRECT
\$ rmmod nf_nat
\$ rmmod nf_conntrack_ipv4
\$ rmmod nf_defrag_ipv4
\$ rmmod nf_conntrack
\$ rmmod xt_state
\$ rmmod nf_conntrack
[/cc]

Listing the nat tables with `iptables -t nat -L` will cause the conntrack modules to be probed into the kernel. For very busy world-facing hosts the solution is to add the various conntrack modules to /etc/modprobe.d/blacklist.conf to ensure that they are never loaded.