Re: Iptables DROP packets but Nmap show the ports opened !!
Robin-Vinet Mathieu a écrit :
I've got a question, about how DROPPED packets are shown to TCP scanners
such as Nmap.
With nmap, it seems to depend on the TCP scan type.
My results with nmap 2.54 from Debian Woody :
(better displayed with a fixed-sized font)
Target / TCP scan type -T(connect) -S(syn) -F(fin) -X(Xmas) -N(null)
DROP filtered filtered open open open
REJECT icmp-port-unreach closed filtered filtered filtered filtered
REJECT tcp-reset closed closed closed closed closed
I've done an IPtables script wich does what i want it to do, but even if
unautorised packets are dropped and logged, when i nmap my server,
almost all tcp ports are shown as opened.
Even the ports that are closed (not used by any service) ? It could be
that you used a FIN, Xmas Tree or Null scan.
Of course, some of those ports are (eg. TCP 80), but others are not (eg.
TCP 445), i think it is clearly unsafe, cause hackers knows that there
is a server behind those closed ports.
When you DROP incoming packets, an attacker won't be able to know what's
behind because there is no reply.
In my mind, a good firewall would show the firewalled TCP ports as
"stealth" or "filtered" or in the last "closed", but i'd prefer
In my mind a good firewall would show firewalled ports as closed on any
type of scan, so attackers wouldn't get curious and ask themselves "why
are theses ports filtered/stealth and what's behind them ?". The only
exception is when no port at all is open, so the machine can appear
totally stealth. But mixing open and stealth ports makes no sense.