我在 openVZ 容器中运行 CentOS 5.3,并且从 Nmap 收到“操作不允许”错误。
[root@test nmap-5.21]# ./nmap scanme.nmap.org
Starting Nmap 5.21 ( http://nmap.org )
at 2010-12-12 17:03 MSK
Warning: File ./nmap-services exists,
but Nmap is using
/usr/local/share/nmap/nmap-services
for security and consistency reasons.
set NMAPDIR=. to give priority to
files in your local directory (may
affect the other data files too).
sendto in send_ip_packet: sendto(4,
packet, 28, 0, 64.13.134.52, 16) =>
Operation not permitted
Offending packet: ICMP 127.0.0.1 >
64.13.134.52 echo request (type=8/code=0) ttl=46 id=49000
iplen=28 sendto in send_ip_packet:
sendto(4, packet, 40, 0, 64.13.134.52,
16) => Operation not permitted
Offending packet: ICMP 127.0.0.1 >
64.13.134.52 Timestamp request (type=13/code=0) ttl=49 id=23010
iplen=40
sendto in send_ip_packet: sendto(4,
packet, 40, 0, 64.13.134.52, 16) =>
Operation not permitted
Offending packet: ICMP 127.0.0.1 >
64.13.134.52 Timestamp request (type=13/code=0) ttl=56 id=36657
iplen=40
sendto in send_ip_packet: sendto(4,
packet, 28, 0, 64.13.134.52, 16) =>
Operation not permitted
Offending packet: ICMP 127.0.0.1 >
64.13.134.52 echo request (type=8/code=0) ttl=51 id=43181
iplen=28
Note: Host seems down. If it is really
up, but blocking our ping probes, try
-PN Nmap done: 1 IP address (0 hosts up) scanned in 3.15 seconds
我没有设置 iptables 规则。
我怎样才能让它工作?
答案1
也许你的容器里有一个韦内特接口,该接口有安全限制。您需要使用韦特接口发送广播和其他非标准数据包。请参阅venet 和 veth 之间的区别。
答案2
我知道这个问题已经过时了,但我在 Debian 8 和 CentOS 7 上也遇到过这个问题,但找不到答案(这是搜索结果)。TCP 和分段卸载似乎是问题所在,您可以通过安装“ethtool”并运行以下命令来禁用它:
ethtool -K eth0 rx off tx off gso off tso off
可能值得回顾一下此命令改变了哪些选项:
ethtool --show-offload eth0
您在此处看到的任何功能都可以通过将其指定为首字母缩略词来启用/禁用(例如“generic-segmentation-offload”=“gso”)。这些功能的启用是有原因的,因此您需要阅读他们所做的事情。
编辑:由于内核内置了对无效和畸形数据包的保护,因此还需要允许出站无效数据包,因为 Nmap 使用有趣的技术进行扫描:
iptables -I OUTPUT -m state --state INVALID -j ACCEPT