[Bug 870] New: Iptables cannot block outbound packets sent by Nessus

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Oct 31 03:14:23 CET 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=870

           Summary: Iptables cannot block outbound packets sent by Nessus
           Product: iptables
           Version: 1.4.x
          Platform: x86_64
        OS/Version: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: Mitsuaki_Shiraishi at symantec.com
   Estimated Hours: 0.0


Iptables on Ubuntu 13.10 cannot block outbound packets sent by Nessus.


[TESTED ENVIRONMENT]

 * Iptables v1.4.18
 * Ubuntu 13.10 on x86_64 (Kali Linux 1.0.5 64bit may also be affected)
 * Nessus 5.2.4
 * Nmap 6.40
 * Hping3 3.0.0-alpha-2

 * Local ip: 192.168.2.100
 * Remote ip: 192.168.2.99


[FINDING]

Iptables cannot block outbound packets sent by local Nessus daemon.

Setting OUTPUT chain's policy DROP and appending rule that ACCEPT 
loopback interface should be block any outbound packets through eth1.
However, by running Nessus scan, some TCP/UDP/ICMP packets is sent to 
remote server through eth1. Other attempt I tested to beyond iptables 
are blocked properly.

I have no idea how nessus beyonds iptables. But I believe this should 
be treat as a vulnerability of iptables.


[TEST PATTERN]

* Tested iptables' settings
(A) No packet filter
(B) Accept loopback only
(C) Accept loopback only + all reject rule

* Tested methods to send packets
(a) Telnet to remote server
(b) Dig to remote server
(c) Ping to remote server
(d) Nmap TCP SYN scan
(e) Hping3 to sent TCP SYN packets
(f) Hping3 to sent UDP datagrams
(g) Hping3 to sent ICMP echo requests
(h) Nessus with default policy "External Network Scan"


[SUMMARY OF TEST RESULT]

 * Any iptables' setting cannot block certain Nessus' packets.
 * Iptables' setting (B) and (C) block tested methods (a)-(g) properly.


[TEST RESULT]

(A) Iptables rule 01: no packet filter
 * No packet filter rule is enabled
 * All tested methods are passed iptables

(A-1) Shell script
# cat iptables-flush.sh 
#!/bin/bash

IPTABLES="/sbin/iptables"

${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -Z

${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT

${IPTABLES} -nvL


(A-2) Result
# ./iptables-flush.sh 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 


(A-3) Tested methods and result
(a) Telnet to remote server
# telnet 192.168.2.99 80
Trying 192.168.2.99...
Connected to 192.168.2.99.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 401 Unauthorized
Server: GoAhead-Webs
Date: Wed Oct 30 23:54:21 2013
WWW-Authenticate: Basic realm=" "
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

Connection closed by foreign host.

(b) Dig to remote server
# dig www.google.com @192.168.2.99

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>>
www.google.com @192.168.2.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41013
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        191    IN    A    173.194.38.113
www.google.com.        191    IN    A    173.194.38.114
www.google.com.        191    IN    A    173.194.38.115
www.google.com.        191    IN    A    173.194.38.116
www.google.com.        191    IN    A    173.194.38.112

;; AUTHORITY SECTION:
google.com.        56291    IN    NS    ns4.google.com.
google.com.        56291    IN    NS    ns2.google.com.
google.com.        56291    IN    NS    ns3.google.com.
google.com.        56291    IN    NS    ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.        230430    IN    A    216.239.32.10
ns2.google.com.        230175    IN    A    216.239.34.10
ns3.google.com.        229166    IN    A    216.239.36.10
ns4.google.com.        230041    IN    A    216.239.38.10

;; Query time: 14 msec
;; SERVER: 192.168.2.99#53(192.168.2.99)
;; WHEN: Wed Oct 30 23:54:49 JST 2013
;; MSG SIZE  rcvd: 259


(c) Ping to remote server
# ping -c 3 192.168.2.99
PING 192.168.2.99 (192.168.2.99) 56(84) bytes of data.
64 bytes from 192.168.2.99: icmp_seq=1 ttl=64 time=0.847 ms
64 bytes from 192.168.2.99: icmp_seq=2 ttl=64 time=0.793 ms
64 bytes from 192.168.2.99: icmp_seq=3 ttl=64 time=0.800 ms

--- 192.168.2.99 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.793/0.813/0.847/0.033 ms

(d) Nmap TCP SYN scan
# nmap -nvv -r -Pn -sS -F --reason 192.168.2.99

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-30 23:56 JST
Initiating ARP Ping Scan at 23:56
Scanning 192.168.2.99 [1 port]
Completed ARP Ping Scan at 23:56, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:56
Scanning 192.168.2.99 [100 ports]
Discovered open port 53/tcp on 192.168.2.99
Discovered open port 80/tcp on 192.168.2.99
Completed SYN Stealth Scan at 23:56, 0.09s elapsed (100 total ports)
Nmap scan report for 192.168.2.99
Host is up, received arp-response (0.011s latency).
Scanned at 2013-10-30 23:56:17 JST for 1s
Not shown: 98 closed ports
Reason: 98 resets
PORT   STATE SERVICE REASON
53/tcp open  domain  syn-ack
80/tcp open  http    syn-ack
MAC Address: 00:01:8E:7B:AF:D0 (Logitec)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 101 (4.428KB) | Rcvd: 101 (4.036KB)


(e) Hping3 to sent TCP SYN packets
# hping3 -n -V -c 3 -S -p 80 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): S set, 40 headers + 0 data bytes
len=46 ip=192.168.2.99 ttl=64 DF id=0 tos=0 iplen=44
sport=80 flags=SA seq=0 win=5840 rtt=1.1 ms
seq=1297713297 ack=947911264 sum=4de9 urp=0

len=46 ip=192.168.2.99 ttl=64 DF id=0 tos=0 iplen=44
sport=80 flags=SA seq=1 win=5840 rtt=0.8 ms
seq=1302142566 ack=1170559117 sum=c1ef urp=0

len=46 ip=192.168.2.99 ttl=64 DF id=0 tos=0 iplen=44
sport=80 flags=SA seq=2 win=5840 rtt=0.9 ms
seq=1329926636 ack=1327164082 sum=1857 urp=0


--- 192.168.2.99 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.9/1.1 ms

(f) Hping3 to sent UDP datagrams
# hping3 -n -V -c 3 --udp -p 53 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): udp mode set, 28 headers + 0 data bytes

--- 192.168.2.99 hping statistic ---
3 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

no packet received: expected result

(g) Hping3 to sent ICMP echo requests
# hping3 -n -V -c 3 --icmp 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): icmp mode set, 28 headers + 0 data
bytes
len=46 ip=192.168.2.99 ttl=64 id=62300 tos=0 iplen=28
icmp_seq=0 rtt=0.8 ms
len=46 ip=192.168.2.99 ttl=64 id=62301 tos=0 iplen=28
icmp_seq=1 rtt=0.8 ms
len=46 ip=192.168.2.99 ttl=64 id=62302 tos=0 iplen=28
icmp_seq=2 rtt=0.9 ms

--- 192.168.2.99 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.8/0.9 ms

(h) Nessus with default policy "External Network Scan"
This test was omitted for this test case.


(B) iptables rule 02: accept loopback only
 * Allow packets through loopback interface only
 * But nessus beyonds iptables and packets reach to remote server

(B-1) Shell script
# cat iptables-drop.sh 
#!/bin/bash

IPTABLES="/sbin/iptables"

${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -Z

${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT DROP
${IPTABLES} -P FORWARD ACCEPT

${IPTABLES} -A OUTPUT -o lo -j ACCEPT

${IPTABLES} -nvL

(B-2) Result
# ./iptables-drop.sh 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   

(B-3) Tested methods and result
(a) Telnet to remote server
# telnet 192.168.2.99 80
Trying 192.168.2.99...
^C

(b) Dig to remote server
# dig www.google.com @192.168.2.99

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>>
www.google.com @192.168.2.99
;; global options: +cmd
;; connection timed out; no servers could be reached

(c) Ping to remote server
# ping -c 3 192.168.2.99
PING 192.168.2.99 (192.168.2.99) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- 192.168.2.99 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms


(d) Nmap TCP SYN scan
# nmap -nvv -r -Pn -sS -F --reason 192.168.2.99

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-31 00:07 JST
Initiating ARP Ping Scan at 00:07
Scanning 192.168.2.99 [1 port]
Completed ARP Ping Scan at 00:07, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 00:07
Scanning 192.168.2.99 [100 ports]
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:7 S ttl=52 id=64640
iplen=44  seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:9 S ttl=42 id=61018
iplen=44  seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:13 S ttl=44 id=35727
iplen=44  seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:21 S ttl=45 id=29202
iplen=44  seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:22 S ttl=48 id=35616
iplen=44  seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:23 S ttl=52 id=55957
iplen=44  seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:25 S ttl=46 id=12696
iplen=44  seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:26 S ttl=37 id=42157
iplen=44  seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:37 S ttl=43 id=28216
iplen=44  seq=3821504810 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:58171 > 192.168.2.99:53 S ttl=41 id=46693
iplen=44  seq=3821504810 win=1024 <mss 1460>
Omitting future Sendto error messages now that 10 have been shown.  Use -d2 if
you really want to see them.
Completed SYN Stealth Scan at 00:07, 3.04s elapsed (100 total ports)
Nmap scan report for 192.168.2.99
Host is up, received arp-response (0.00045s latency).
All 100 scanned ports on 192.168.2.99 are filtered because of 100 no-responses
MAC Address: 00:01:8E:7B:AF:D0 (Logitec)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)

(e) Hping3 to sent TCP SYN packets
# hping3 -n -V -c 3 -S -p 80 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): S set, 40 headers + 0 data bytes
[send_ip] sendto: Operation not permitted

(f) Hping3 to sent UDP datagrams
# hping3 -n -V -c 3 --udp -p 53 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): udp mode set, 28 headers + 0 data bytes
[send_ip] sendto: Operation not permitted

(g) Hping3 to sent ICMP echo requests
# hping3 -n -V -c 3 --icmp 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): icmp mode set, 28 headers + 0 data
bytes
[send_ip] sendto: Operation not permitted


(h) Nessus with default policy "External Network Scan"
Some TCP(SYN)/UDP/ICMP packets reached to remote server
Please see attachment: 
    caseB_01_tcp_syn.jpg
    caseB_02_udp.jpg 
    caseB_03_icmp.jpg


(C) iptables rule 03: Adding rule ALL REJECT
 * Allow packets through loopback interface only
 * Appended rule that REJECT any outbound traffic
 * But nessus beyonds iptables and packets reach to remote server

(C-1) Shell script
# cat iptables-reject.sh 
#!/bin/bash

IPTABLES="/sbin/iptables"

${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -Z

${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT DROP
${IPTABLES} -P FORWARD ACCEPT

${IPTABLES} -A OUTPUT -o lo -j ACCEPT
${IPTABLES} -A OUTPUT -j REJECT

${IPTABLES} -nvL


(C-2) Result
# ./iptables-reject.sh 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         reject-with icmp-port-unreachable

(C-3) Tested methods and result
(a) Telnet to remote server
# telnet 192.168.2.99 80
Trying 192.168.2.99...
telnet: Unable to connect to remote host: Connection refused

(b) Dig to remote server
# dig www.google.com @192.168.2.99

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>>
www.google.com @192.168.2.99
;; global options: +cmd
;; connection timed out; no servers could be reached

(c) Ping to remote server
# ping -c 3 192.168.2.99
PING 192.168.2.99 (192.168.2.99) 56(84) bytes of data.
>From 192.168.2.100 icmp_seq=1 Destination Port Unreachable
>From 192.168.2.100 icmp_seq=1 Destination Port Unreachable
>From 192.168.2.100 icmp_seq=1 Destination Port Unreachable

--- 192.168.2.99 ping statistics ---
0 packets transmitted, 0 received, +3 errors

(d) Nmap TCP SYN scan
# nmap -nvv -r -Pn -sS -F --reason 192.168.2.99

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-31 00:30 JST
Initiating ARP Ping Scan at 00:30
Scanning 192.168.2.99 [1 port]
Completed ARP Ping Scan at 00:30, 0.02s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 00:30
Scanning 192.168.2.99 [100 ports]
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:7 S ttl=40 id=19747
iplen=44  seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:9 S ttl=43 id=17256
iplen=44  seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:13 S ttl=44 id=58489
iplen=44  seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:21 S ttl=56 id=23589
iplen=44  seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:22 S ttl=55 id=11195
iplen=44  seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:23 S ttl=51 id=16902
iplen=44  seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:25 S ttl=41 id=54720
iplen=44  seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:26 S ttl=42 id=15150
iplen=44  seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:37 S ttl=37 id=32665
iplen=44  seq=2093450241 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.2.99, 16) =>
Operation not permitted
Offending packet: TCP 192.168.2.100:33557 > 192.168.2.99:53 S ttl=54 id=34713
iplen=44  seq=2093450241 win=1024 <mss 1460>
Omitting future Sendto error messages now that 10 have been shown.  Use -d2 if
you really want to see them.
Completed SYN Stealth Scan at 00:30, 3.06s elapsed (100 total ports)
Nmap scan report for 192.168.2.99
Host is up, received arp-response (0.00040s latency).
All 100 scanned ports on 192.168.2.99 are filtered because of 100 no-responses
MAC Address: 00:01:8E:7B:AF:D0 (Logitec)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.27 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)


(e) Hping3 to sent TCP SYN packets
# hping3 -n -V -c 3 -S -p 80 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): S set, 40 headers + 0 data bytes
[send_ip] sendto: Operation not permitted

(f) Hping3 to sent UDP datagrams
# hping3 -n -V -c 3 --udp -p 53 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): udp mode set, 28 headers + 0 data bytes
[send_ip] sendto: Operation not permitted

(g) Hping3 to sent ICMP echo requests
# hping3 -n -V -c 3 --icmp 192.168.2.99
using eth1, addr: 192.168.2.100, MTU: 1500
HPING 192.168.2.99 (eth1 192.168.2.99): icmp mode set, 28 headers + 0 data
bytes
[send_ip] sendto: Operation not permitted


(h) Nessus with default policy "External Network Scan"
Some TCP(SYN)/UDP/ICMP packets reached to remote server
Please see attachment: 
    caseC_01_tcp_syn.jpg
    caseC_02_udp.jpg 
    caseC_03_icmp.jpg

(D) current rule

# iptables -nvL
Chain INPUT (policy ACCEPT 72729 packets, 4540K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 6668 1882K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
 1229 66035 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         reject-with icmp-port-unreachable


___________________________________________________

Mitsuaki_Shiraishi at symantec.com
We protect the world’s people and information.
___________________________________________________

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the netfilter-buglog mailing list