Nmap "operation not permitted" error

I'm running CentOS 5.3 in an openVZ container, and I'm receiving "operation not permitted" errors from Nmap.

[root@test nmap-5.21]# ./nmap scanme.nmap.org

Starting Nmap 5.21 ( http://nmap.org )
at 2010-12-12 17:03 MSK

Warning: File ./nmap-services exists,
but Nmap is using
/usr/local/share/nmap/nmap-services
for security and consistency reasons. 
set NMAPDIR=. to give priority to
files in your local directory (may
affect the other data files too).

sendto in send_ip_packet: sendto(4,
packet, 28, 0, 64.13.134.52, 16) =>
Operation not permitted

Offending packet: ICMP 127.0.0.1 >
64.13.134.52 echo request (type=8/code=0) ttl=46 id=49000
iplen=28 sendto in send_ip_packet:
sendto(4, packet, 40, 0, 64.13.134.52,
16) => Operation not permitted


Offending packet: ICMP 127.0.0.1 >
64.13.134.52 Timestamp request (type=13/code=0) ttl=49 id=23010
iplen=40

sendto in send_ip_packet: sendto(4,
packet, 40, 0, 64.13.134.52, 16) =>
Operation not permitted

Offending packet: ICMP 127.0.0.1 >
64.13.134.52 Timestamp request (type=13/code=0) ttl=56 id=36657
iplen=40

sendto in send_ip_packet: sendto(4,
packet, 28, 0, 64.13.134.52, 16) =>
Operation not permitted

Offending packet: ICMP 127.0.0.1 >
64.13.134.52 echo request (type=8/code=0) ttl=51 id=43181
iplen=28

Note: Host seems down. If it is really
up, but blocking our ping probes, try
-PN Nmap done: 1 IP address (0 hosts up) scanned in 3.15 seconds

I have no iptables rules set.

How can I get this working?

a--

Posted 2010-12-12T14:09:58.687

Reputation: 63

Answers

Maybe your container has a venet interface, which has security restrictions. You need to use veth interfaces to send broadcasts and other nonstandard packets. See Differences between venet and veth.

Sergey Vlasov

Posted 2010-12-12T14:09:58.687

Reputation: 2 678

Yeah, I am using a venet interface. Unfortunately, I can't control this. Do you know of any "simpler" port scanners that will still be able to function correctly? – a-- – 2010-12-14T13:37:50.173

I know this question is old, but I've been running into this problem on Debian 8 and CentOS 7 and couldn't find an answer (this is a top search result). TCP and segmentation offloading looks to have been the problem, and you can disable it by installing "ethtool" and running:

ethtool -K  eth0  rx off  tx off gso off tso off

Might be worth reviewing what options have changed with this command:

ethtool --show-offload  eth0

Any features you see there can be enabled/disabled by specifying them as an acronym (e.g. "generic-segmentation-offload" = "gso"). These are turned on for a reason, so you'll want to read up on what they do.

And here's a CentOS specific reboot-persistent answer.

Edit: Since invalid and malformed packet protection is built into the kernel, one also needs to allow outbound invalid packets since Nmap uses fun techniques to scan:

iptables -I OUTPUT -m state --state INVALID -j ACCEPT

swashy

Posted 2010-12-12T14:09:58.687

Reputation: 11