Re: Iptables DROP packets but Nmap show the ports opened !!

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Salut,

Robin-Vinet Mathieu a écrit :
> I've got a question, about how DROPPED packets are shown to TCP scanners
> such as Nmap.

With nmap, it seems to depend on the TCP scan type.
My results with nmap 2.54 from Debian Woody :
(better displayed with a fixed-sized font)

Target / TCP scan type  -T(connect) -S(syn)  -F(fin) -X(Xmas) -N(null)
DROP                     filtered  filtered   open     open     open
REJECT icmp-port-unreach  closed   filtered filtered filtered filtered
REJECT tcp-reset          closed    closed   closed   closed   closed

> I've done an IPtables script wich does what i want it to do, but even if
> unautorised packets are dropped and logged, when i nmap my server,
> almost all tcp ports are shown as opened.

Even the ports that are closed (not used by any service) ? It could be 
that you used a FIN, Xmas Tree or Null scan.

> Of course, some of those ports are (eg. TCP 80), but others are not (eg.
> TCP 445), i think it is clearly unsafe, cause hackers knows that there
> is a server behind those closed ports.

When you DROP incoming packets, an attacker won't be able to know what's 
behind because there is no reply.

> In my mind, a good firewall would show the firewalled TCP ports as
> "stealth" or "filtered" or in the last "closed", but i'd prefer
> "stealth".

In my mind a good firewall would show firewalled ports as closed on any 
type of scan, so attackers wouldn't get curious and ask themselves "why 
are theses ports filtered/stealth and what's behind them ?". The only 
exception is when no port at all is open, so the machine can appear 
totally stealth. But mixing open and stealth ports makes no sense.