bugzilla-daemon at netfilter.org
2013-Oct-31 02:14 UTC
[Bug 870] New: Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870
Summary: Iptables cannot block outbound packets sent by Nessus
Product: iptables
Version: 1.4.x
Platform: x86_64
OS/Version: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: Mitsuaki_Shiraishi at symantec.com
Estimated Hours: 0.0
Iptables on Ubuntu 13.10 cannot block outbound packets sent by Nessus.
[TESTED ENVIRONMENT]
* Iptables v1.4.18
* Ubuntu 13.10 on x86_64 (Kali Linux 1.0.5 64bit may also be affected)
* Nessus 5.2.4
* Nmap 6.40
* Hping3 3.0.0-alpha-2
* Local ip: 192.168.2.100
* Remote ip: 192.168.2.99
[FINDING]
Iptables cannot block outbound packets sent by local Nessus daemon.
Setting OUTPUT chain's policy DROP and appending rule that ACCEPT
loopback interface should be block any outbound packets through eth1.
However, by running Nessus scan, some TCP/UDP/ICMP packets is sent to
remote server through eth1. Other attempt I tested to beyond iptables
are blocked properly.
I have no idea how nessus beyonds iptables. But I believe this should
be treat as a vulnerability of iptables.
[TEST PATTERN]
* Tested iptables' settings
(A) No packet filter
(B) Accept loopback only
(C) Accept loopback only + all reject rule
* Tested methods to send packets
(a) Telnet to remote server
(b) Dig to remote server
(c) Ping to remote server
(d) Nmap TCP SYN scan
(e) Hping3 to sent TCP SYN packets
(f) Hping3 to sent UDP datagrams
(g) Hping3 to sent ICMP echo requests
(h) Nessus with default policy "External Network Scan"
[SUMMARY OF TEST RESULT]
* Any iptables' setting cannot block certain Nessus' packets.
* Iptables' setting (B) and (C) block tested methods (a)-(g) properly.
[TEST RESULT]
(A) Iptables rule 01: no packet filter
* No packet filter rule is enabled
* All tested methods are passed iptables
(A-1) Shell script
# cat iptables-flush.sh
#!/bin/bash
IPTABLES="/sbin/iptables"
${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -Z
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -nvL
(A-2) Result
# ./iptables-flush.sh
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
(A-3) Tested methods and result
(a) Telnet to remote server
# telnet 192.168.2.99 80
Trying 192.168.2.99...
Connected to 192.168.2.99.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.1 401 Unauthorized
Server: GoAhead-Webs
Date: Wed Oct 30 23:54:21 2013
WWW-Authenticate: Basic realm=" "
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Connection closed by foreign host.
(b) Dig to remote server
# dig www.google.com @192.168.2.99
; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1
<<>>
www.google.com @192.168.2.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41013
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 191 IN A 173.194.38.113
www.google.com. 191 IN A 173.194.38.114
www.google.com. 191 IN A 173.194.38.115
www.google.com. 191 IN A 173.194.38.116
www.google.com. 191 IN A 173.194.38.112
;; AUTHORITY SECTION:
google.com. 56291 IN NS ns4.google.com.
google.com. 56291 IN NS ns2.google.com.
google.com. 56291 IN NS ns3.google.com.
google.com. 56291 IN NS ns1.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 230430 IN A 216.239.32.10
ns2.google.com. 230175 IN A 216.239.34.10
ns3.google.com. 229166 IN A 216.239.36.10
ns4.google.com. 230041 IN A 216.239.38.10
;; Query time: 14 msec
;; SERVER: 192.168.2.99#53(192.168.2.99)
;; WHEN: Wed Oct 30 23:54:49 JST 2013
;; MSG SIZE rcvd: 259
(c) Ping to remote server
# ping -c 3 192.168.2.99
PING 192.168.2.99 (192.168.2.99) 56(84) bytes of data.
64 bytes from 192.168.2.99: icmp_seq=1 ttl=64 time=0.847 ms
64 bytes from 192.168.2.99: icmp_seq=2 ttl=64 time=0.793 ms
64 bytes from 192.168.2.99: icmp_seq=3 ttl=64 time=0.800 ms
--- 192.168.2.99 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.793/0.813/0.847/0.033 ms
(d) Nmap TCP SYN scan
# nmap -nvv -r -Pn -sS -F --reason 192.168.2.99
Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-30 23:56 JST
Initiating ARP Ping Scan at 23:56
Scanning 192.168.2.99 [1 port]
Completed ARP Ping Scan at 23:56, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:56
Scanning 192.168.2.99 [100 ports]
Discovered open port 53/tcp on 192.168.2.99
Discovered open port 80/tcp on 192.168.2.99
Completed SYN Stealth Scan at 23:56, 0.09s elapsed (100 total ports)
Nmap scan report for 192.168.2.99
Host is up, received arp-response (0.011s latency).
Scanned at 2013-10-30 23:56:17 JST for 1s
Not shown: 98 closed ports
Reason: 98 resets
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
MAC Address: 00:01:8E:7B:AF:D0 (Logitec)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Raw packets sent: 101 (4.428KB) | Rcvd: 101 (4.036KB)
(e) Hping3 to sent TCP SYN packets
# hping3 -n -V -c 3 -S -p 80 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): S set, 40 headers + 0 data bytes
len=46 ip=192.168.2.99 ttl=64 DF id=0 tos=0 iplen=44
sport=80 flags=SA seq=0 win=5840 rtt=1.1 ms
seq=1297713297 ack=947911264 sum=4de9 urp=0
len=46 ip=192.168.2.99 ttl=64 DF id=0 tos=0 iplen=44
sport=80 flags=SA seq=1 win=5840 rtt=0.8 ms
seq=1302142566 ack=1170559117 sum=c1ef urp=0
len=46 ip=192.168.2.99 ttl=64 DF id=0 tos=0 iplen=44
sport=80 flags=SA seq=2 win=5840 rtt=0.9 ms
seq=1329926636 ack=1327164082 sum=1857 urp=0
--- 192.168.2.99 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.9/1.1 ms
(f) Hping3 to sent UDP datagrams
# hping3 -n -V -c 3 --udp -p 53 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): udp mode set, 28 headers + 0 data bytes
--- 192.168.2.99 hping statistic ---
3 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
no packet received: expected result
(g) Hping3 to sent ICMP echo requests
# hping3 -n -V -c 3 --icmp 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): icmp mode set, 28 headers + 0 data
bytes
len=46 ip=192.168.2.99 ttl=64 id=62300 tos=0 iplen=28
icmp_seq=0 rtt=0.8 ms
len=46 ip=192.168.2.99 ttl=64 id=62301 tos=0 iplen=28
icmp_seq=1 rtt=0.8 ms
len=46 ip=192.168.2.99 ttl=64 id=62302 tos=0 iplen=28
icmp_seq=2 rtt=0.9 ms
--- 192.168.2.99 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.8/0.9 ms
(h) Nessus with default policy "External Network Scan"
This test was omitted for this test case.
(B) iptables rule 02: accept loopback only
* Allow packets through loopback interface only
* But nessus beyonds iptables and packets reach to remote server
(B-1) Shell script
# cat iptables-drop.sh
#!/bin/bash
IPTABLES="/sbin/iptables"
${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -Z
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT DROP
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT
${IPTABLES} -nvL
(B-2) Result
# ./iptables-drop.sh
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
(B-3) Tested methods and result
(a) Telnet to remote server
# telnet 192.168.2.99 80
Trying 192.168.2.99...
^C
(b) Dig to remote server
# dig www.google.com @192.168.2.99
; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1
<<>>
www.google.com @192.168.2.99
;; global options: +cmd
;; connection timed out; no servers could be reached
(c) Ping to remote server
# ping -c 3 192.168.2.99
PING 192.168.2.99 (192.168.2.99) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 192.168.2.99 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms
(d) Nmap TCP SYN scan
# nmap -nvv -r -Pn -sS -F --reason 192.168.2.99
Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-31 00:07 JST
Initiating ARP Ping Scan at 00:07
Scanning 192.168.2.99 [1 port]
Completed ARP Ping Scan at 00:07, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 00:07
Scanning 192.168.2.99 [100 ports]
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:7 S ttl=52 id=64640
iplen=44 seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:9 S ttl=42 id=61018
iplen=44 seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:13 S ttl=44 id=35727
iplen=44 seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:21 S ttl=45 id=29202
iplen=44 seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:22 S ttl=48 id=35616
iplen=44 seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:23 S ttl=52 id=55957
iplen=44 seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:25 S ttl=46 id=12696
iplen=44 seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:26 S ttl=37 id=42157
iplen=44 seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:37 S ttl=43 id=28216
iplen=44 seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:53 S ttl=41 id=46693
iplen=44 seq=3821504810 win=1024 <mss 1460>
Omitting future Sendto error messages now that 10 have been shown. Use -d2 if
you really want to see them.
Completed SYN Stealth Scan at 00:07, 3.04s elapsed (100 total ports)
Nmap scan report for 192.168.2.99
Host is up, received arp-response (0.00045s latency).
All 100 scanned ports on 192.168.2.99 are filtered because of 100 no-responses
MAC Address: 00:01:8E:7B:AF:D0 (Logitec)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds
Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
(e) Hping3 to sent TCP SYN packets
# hping3 -n -V -c 3 -S -p 80 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): S set, 40 headers + 0 data bytes
[send_ip] sendto: Operation not permitted
(f) Hping3 to sent UDP datagrams
# hping3 -n -V -c 3 --udp -p 53 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): udp mode set, 28 headers + 0 data bytes
[send_ip] sendto: Operation not permitted
(g) Hping3 to sent ICMP echo requests
# hping3 -n -V -c 3 --icmp 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): icmp mode set, 28 headers + 0 data
bytes
[send_ip] sendto: Operation not permitted
(h) Nessus with default policy "External Network Scan"
Some TCP(SYN)/UDP/ICMP packets reached to remote server
Please see attachment:
caseB_01_tcp_syn.jpg
caseB_02_udp.jpg
caseB_03_icmp.jpg
(C) iptables rule 03: Adding rule ALL REJECT
* Allow packets through loopback interface only
* Appended rule that REJECT any outbound traffic
* But nessus beyonds iptables and packets reach to remote server
(C-1) Shell script
# cat iptables-reject.sh
#!/bin/bash
IPTABLES="/sbin/iptables"
${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -Z
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT DROP
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT
${IPTABLES} -A OUTPUT -j REJECT
${IPTABLES} -nvL
(C-2) Result
# ./iptables-reject.sh
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
(C-3) Tested methods and result
(a) Telnet to remote server
# telnet 192.168.2.99 80
Trying 192.168.2.99...
telnet: Unable to connect to remote host: Connection refused
(b) Dig to remote server
# dig www.google.com @192.168.2.99
; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1
<<>>
www.google.com @192.168.2.99
;; global options: +cmd
;; connection timed out; no servers could be reached
(c) Ping to remote server
# ping -c 3 192.168.2.99
PING 192.168.2.99 (192.168.2.99) 56(84) bytes of data.>From 192.168.2.100 icmp_seq=1 Destination Port Unreachable
>From 192.168.2.100 icmp_seq=1 Destination Port Unreachable
>From 192.168.2.100 icmp_seq=1 Destination Port Unreachable
--- 192.168.2.99 ping statistics ---
0 packets transmitted, 0 received, +3 errors
(d) Nmap TCP SYN scan
# nmap -nvv -r -Pn -sS -F --reason 192.168.2.99
Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-31 00:30 JST
Initiating ARP Ping Scan at 00:30
Scanning 192.168.2.99 [1 port]
Completed ARP Ping Scan at 00:30, 0.02s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 00:30
Scanning 192.168.2.99 [100 ports]
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:7 S ttl=40 id=19747
iplen=44 seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:9 S ttl=43 id=17256
iplen=44 seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:13 S ttl=44 id=58489
iplen=44 seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:21 S ttl=56 id=23589
iplen=44 seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:22 S ttl=55 id=11195
iplen=44 seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:23 S ttl=51 id=16902
iplen=44 seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:25 S ttl=41 id=54720
iplen=44 seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:26 S ttl=42 id=15150
iplen=44 seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:37 S ttl=37 id=32665
iplen=44 seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:53 S ttl=54 id=34713
iplen=44 seq=2093450241 win=1024 <mss 1460>
Omitting future Sendto error messages now that 10 have been shown. Use -d2 if
you really want to see them.
Completed SYN Stealth Scan at 00:30, 3.06s elapsed (100 total ports)
Nmap scan report for 192.168.2.99
Host is up, received arp-response (0.00040s latency).
All 100 scanned ports on 192.168.2.99 are filtered because of 100 no-responses
MAC Address: 00:01:8E:7B:AF:D0 (Logitec)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.27 seconds
Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
(e) Hping3 to sent TCP SYN packets
# hping3 -n -V -c 3 -S -p 80 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): S set, 40 headers + 0 data bytes
[send_ip] sendto: Operation not permitted
(f) Hping3 to sent UDP datagrams
# hping3 -n -V -c 3 --udp -p 53 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): udp mode set, 28 headers + 0 data bytes
[send_ip] sendto: Operation not permitted
(g) Hping3 to sent ICMP echo requests
# hping3 -n -V -c 3 --icmp 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): icmp mode set, 28 headers + 0 data
bytes
[send_ip] sendto: Operation not permitted
(h) Nessus with default policy "External Network Scan"
Some TCP(SYN)/UDP/ICMP packets reached to remote server
Please see attachment:
caseC_01_tcp_syn.jpg
caseC_02_udp.jpg
caseC_03_icmp.jpg
(D) current rule
# iptables -nvL
Chain INPUT (policy ACCEPT 72729 packets, 4540K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6668 1882K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1229 66035 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
___________________________________________________
Mitsuaki_Shiraishi at symantec.com
We protect the world?s people and information.
___________________________________________________
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:17 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #1 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:17:28 CET --- Created attachment 419 --> https://bugzilla.netfilter.org/attachment.cgi?id=419 Screenshots of Wireshark which show outbound packets sent by Nessus -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:18 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #2 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:18:01 CET --- Created attachment 420 --> https://bugzilla.netfilter.org/attachment.cgi?id=420 Screenshots 2/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:18 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #3 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:18:46 CET --- Created attachment 421 --> https://bugzilla.netfilter.org/attachment.cgi?id=421 Screenshots 3/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:19 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #4 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:19:09 CET --- Created attachment 422 --> https://bugzilla.netfilter.org/attachment.cgi?id=422 Screenshots 4/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:19 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #5 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:19:33 CET --- Created attachment 423 --> https://bugzilla.netfilter.org/attachment.cgi?id=423 Screenshots 5/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 02:19 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870 --- Comment #6 from Mitsuaki_Shiraishi at symantec.com 2013-10-31 03:19:52 CET --- Created attachment 424 --> https://bugzilla.netfilter.org/attachment.cgi?id=424 Screenshots 6/6 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-31 16:55 UTC
[Bug 870] Iptables cannot block outbound packets sent by Nessus
https://bugzilla.netfilter.org/show_bug.cgi?id=870
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |netfilter at linuxace.com
Resolution| |INVALID
--- Comment #7 from Phil Oester <netfilter at linuxace.com> 2013-10-31
17:55:15 CET ---
Nessus uses raw sockets, which bypass the Linux IP stack completely. This
behavior is not unexpected. Run nessus as a non-root user (if possible) and it
will not be able to use raw sockets. Closing.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.