iptables option not recognized because of move to nftables

thinkst / opencanary

Modular and decentralised honeypot

http://opencanary.org

BSD 3-Clause "New" or "Revised" License

2.28k stars 357 forks source link

iptables option not recognized because of move to nftables #216

Closed SHolzhauer closed 1 year ago

SHolzhauer commented 1 year ago

Hi,

When running the portscan module there is an error on start. After some trying around and digging into portscan.py I found out the iptables statements there are not supported with the current 1.8.7 version installed on ubuntu by default.

root@ea65fcd22310:/# /sbin/iptables -t mangle -D PREROUTING -p tcp -i lo -j LOG --log-level=warning --log-prefix="canaryfw: " -m limit --limit="5/hour"
iptables v1.8.7 (nf_tables): unknown option "--log-level=warning"
Try `iptables -h' or 'iptables --help' for more information.
root@ea65fcd22310:/# /sbin/iptables -t mangle -D PREROUTING -p tcp -i lo -j LOG --log-prefix="canaryfw: " -m limit --limit="5/hour"
iptables v1.8.7 (nf_tables): unknown option "--log-prefix=canaryfw: "
Try `iptables -h' or 'iptables --help' for more information.
root@ea65fcd22310:/# /sbin/iptables -t mangle -D PREROUTING -p tcp -i lo -j LOG -m limit --limit="5/hour"
iptables v1.8.7 (nf_tables): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
root@ea65fcd22310:/#

Is this know/what version of Iptables is expected?

jayjb commented 1 year ago

Hi @SHolzhauer,

Thanks so much for reporting this. Would you mind telling which version of Ubuntu you are using? Ill have to look into getting those iptables to work.

SHolzhauer commented 1 year ago

@jayjb this happens on both ubuntu20.04 as well as within the docker image based on the dockerfile

vin01 commented 1 year ago

You might need to launch your docker containers with NET_ADMIN capability to allow managing traffic via iptables. By default containers are pretty limited ( for a good reason ;-) ) with capabilities.

docker run --cap-add NET_ADMIN <your_image_name>

SHolzhauer commented 1 year ago

So i added the capability mentioned to the container and it is now returning these errors: iptables: Bad rule (does a matching rule exist in that chain?).

Will try to figure out how to fix that

SHolzhauer commented 1 year ago

It might have to do with me trying to use AWS ECS, but then again its still an linux host with a docker container

jayjb commented 1 year ago

Hi @SHolzhauer,

We don't recommend running portscan.py module if you are using the Docker version because iptables in docker may have unexpected consequences. Afaik, docker uses iptables to do some of its networking which is why we don't recommend it.

jayjb commented 1 year ago

Hi @SHolzhauer,

So this issue has brought about two separate considerations that I wanted to mention and say thanks for bringing to light:

Portscan in a container/docker should be disabled (we have a PR for this already)
iptables v1.8.7 (nf_tables) is actually a symlink to nftables which is the new NetFilter program replacing iptables.

The iptables change is interesting because we would need to cater for the new nftables formatting instead of regular iptables however there is another path, /usr/sbin/iptables-legacy which is the old school iptables. So I've kicked off a discussion of using the legacy iptables vs using nftables