nmap and iptables (sendto: ... operation not permitted)
Darryl Taylor
running nmap from a system with iptables running. However they were
not in english, russian, french or spanish, so I couldn't read them.
So I wanted to put a little info out to ease some people frustration.
I got nmap to work without giving the sendto errors. What I found is
that when a program uses raw sockets, the ip_conntrack module (the
--state option) cannot be used to allow the packet out. Apparently
raw sockets and connection tracking don't like each other. So I have
solved half my problem. Since I always run nmap as root, I put the
following rule in my rc.firewall script to allow packets generated by
a program with uid=0 to pass - see below:
$IPTABLES -A OUTPUT -o $IFACE -p tcp -m owner --uid-owner 0 -j ACCEPT
$IPTABLES -A OUTPUT -o $IFACE -p udp -m owner --uid-owner 0 -j ACCEPT
Now I don't know how it is happening yet, but I am receiving the
packets back and I don't have a rule to do that. I do notice that
nmap sets the interface to promiscuous mode when it runs. So I am
wondering if these returning packets don't ever traverse the filter
table. I am going to continue to research this, but if anyone knows
the answer, please do share.
I think the real solution will be using a combination of --uid-owner
and --cmd-owner. I have been trying to find a kernel that has the
--cmd-owner support in the ipt_owner module. I have built 2.4.19-ac4
but have not tried --cmd-owner yet. If it works, I will post the
info.
TIA,
Darryl
motd: I can accept defeat, but I can't accept not trying.