[原文]iptables-save in iptables before 1.2.4 records the "--reject-with icmp-host-prohibited" rule as "--reject-with tcp-reset," which causes iptables to generate different responses than specified by the administrator, possibly leading to an information leak.
IPTables iptables-save Improper Option Interpretation Information Disclosure
Local Access Required
Loss of Confidentiality
iptables contains a flaw that may lead to an unauthorized information disclosure. The flaw is due to the iptables-save utility saves rules that include "-reject-with icmp-host-prohibited" as "-reject-with tcp-reset", which will disclose sensitive information resulting in a loss of confidentiality.
Upgrade to version 1.2.4-0.71.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.