iptables option not recognized because of move to nftables

[SHolzhauer]

Hi,

When running the portscan module there is an error on start.
After some trying around and digging into portscan.py I found out the
iptables statements there are not supported with the current 1.8.7 version
installed on ubuntu by default.

root@ea65fcd22310:/# /sbin/iptables -t mangle -D PREROUTING -p tcp -i lo -j LOG --log-level=warning --log-prefix="canaryfw: " -m limit --limit="5/hour"
iptables v1.8.7 (nf_tables): unknown option "--log-level=warning"
Try `iptables -h' or 'iptables --help' for more information.
root@ea65fcd22310:/# /sbin/iptables -t mangle -D PREROUTING -p tcp -i lo -j LOG --log-prefix="canaryfw: " -m limit --limit="5/hour"
iptables v1.8.7 (nf_tables): unknown option "--log-prefix=canaryfw: "
Try `iptables -h' or 'iptables --help' for more information.
root@ea65fcd22310:/# /sbin/iptables -t mangle -D PREROUTING -p tcp -i lo -j LOG -m limit --limit="5/hour"
iptables v1.8.7 (nf_tables): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
root@ea65fcd22310:/# 

Is this know/what version of Iptables is expected?

[jayjb]

Hi @SHolzhauer,

Thanks so much for reporting this. Would you mind telling which version of Ubuntu you are using? Ill have to look into getting those iptables to work.

[SHolzhauer]

@jayjb this happens on both ubuntu20.04 as well as within the docker image based on the dockerfile

[vin01]

You might need to launch your docker containers with NET_ADMIN capability to allow managing traffic via iptables. By default containers are pretty limited ( for a good reason ;-) ) with capabilities.

docker run --cap-add NET_ADMIN <your_image_name>

• https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
• https://man7.org/linux/man-pages/man7/capabilities.7.html

[SHolzhauer]

So i added the capability mentioned to the container and it is now returning these errors:
iptables: Bad rule (does a matching rule exist in that chain?).

Will try to figure out how to fix that

[SHolzhauer]

It might have to do with me trying to use AWS ECS, but then again its still an linux host with a docker container

[jayjb]

Hi @SHolzhauer,

We don't recommend running portscan.py module if you are using the Docker version because iptables in docker may have unexpected consequences. Afaik, docker uses iptables to do some of its networking which is why we don't recommend it.

[jayjb]

Hi @SHolzhauer,

So this issue has brought about two separate considerations that I wanted to mention and say thanks for bringing to light:

• Portscan in a container/docker should be disabled (we have a PR for this already)
• iptables v1.8.7 (nf_tables) is actually a symlink to nftables which is the new NetFilter program replacing iptables.

The iptables change is interesting because we would need to cater for the new nftables formatting instead of regular iptables however there is another path, /usr/sbin/iptables-legacy which is the old school iptables. So I've kicked off a discussion of using the legacy iptables vs using nftables

[jayjb]

Just to update this issue (we've moved to discussion because its an enhancement we need to come to).

We are going to do a short term fix which will be to detect iptables and either use the normal iptables (if available); or use iptables-legacy (if nftables is running). The setup documentation will mention that to use portscan actual iptables is required for now.

I wanted to move this to a Feature Request discussion because we would like to implement the iptables into nftables rules when we have the chance.