Re: Iptables can't close port 25 and 110
On Tue, 27 Jan 2004 07:48 am, Ronald Laarman wrote:
> I'm not running NAT or TOS, the nat and mangle modules aren't loaded, so
> I guess the tables don't exist either. It's a single homed server.
>
> Iptables is configures as followed:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere tcp dpt:smtp
> reject-with icmp-port-unreachable
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
>
> When running NMAP to scan port 25, tcpdump generates the following
> output:
>
> 21:09:51.034830 10.0.0.13.4873 > 10.0.0.4.smtp: S 29225080:29225080(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 21:09:51.034891 10.0.0.4 > 10.0.0.13: icmp: 10.0.0.4 tcp port smtp
> unreachable [tos 0xc0]
> 21:09:51.035143 10.0.0.4.34627 > SpeedTouch.lan.domain: 44052+ PTR?
> 13.0.0.10.in-addr.arpa. (40) (DF)
> 21:09:51.035888 SpeedTouch.lan.domain > 10.0.0.4.34627: 44052 0/0/0
> (40)
>
> The following output is generated when I scan port 199 (I added a reject
> rule offcourse):
>
> 21:25:02.267951 10.0.0.13.4907 > 10.0.0.4.smux: S 259491857:259491857(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 21:25:02.268013 10.0.0.4 > 10.0.0.13: icmp: 10.0.0.4 tcp port smux
> unreachable [tos 0xc0]
Well, I'm not sure exactly why nmap is saying "port open", but iptables is
doing exactly the right thing there - it returns a icmp packet saying "go
away".
Try changing the rules to "DROP" instead of "REJECT" and see what nmap says
then. This will just drop the packet on the floor instead of sending back an
icmp response.
t
--
GPG : http://n12turbo.com/tarragon/public.key
Reply to: