On Thursday, 06.04.2006 at 16:06 +0200, Robin-Vinet Mathieu wrote: > I've got a question, about how DROPPED packets are shown to TCP > scanners such as Nmap. > > I've done an IPtables script wich does what i want it to do, but even > if unautorised packets are dropped and logged, when i nmap my server, > almost all tcp ports are shown as opened. Seeing the appropriate part of your ruleset, and the 'netstat -l' config on the server would be helpful: together with actual nmap output from the other host.
Active Internet connections (only servers)Don't know what is the appropriate part of my ruleset, so the total ruleset is :
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:10000 *:* LISTEN
tcp 0 0 *:30000 *:* LISTEN
tcp 0 0 MyServerName:www *:* LISTEN
tcp 0 0 MyServerName:webcache *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
udp 0 0 *:10000 *:*
udp 0 0 MyServerName:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
dev_world=eth0
iptables -N BLOCK
iptables -N HACK
iptables -A INPUT -i $dev_world -s 195.103.160.114 -j HACK
iptables -A INPUT -i $dev_world -s 218.21.78.22 -j HACK
iptables -A INPUT -i $dev_world -s 221.147.36.6 -j HACK
iptables -A INPUT -i $dev_world -s 61.146.77.52 -j HACK
iptables -A INPUT -i $dev_world -s 218.15.134.14 -j HACK
iptables -A INPUT -i $dev_world -s 211.182.117.130 -j HACK
iptables -A INPUT -i $dev_world -s 81.218.22.63 -j HACK
iptables -A INPUT -i $dev_world -s 212.211.105.36 -j HACK
iptables -A INPUT -i $dev_world -s 211.90.223.186 -j HACK
iptables -A INPUT -i $dev_world -s 211.80.59.131 -j HACK
#iptables -A INPUT -i $dev_world -m state --state ESTABLISHED,RELATED -j ACCEPT
# On autorise les connexions entrantes sur le port TCP 30000 pour acceder à outil nTop
iptables -A INPUT -i $dev_world -p tcp --dport 30000 -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -i $dev_world -p icmp -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport smtp -j ACCEPT
#iptables -A INPUT -i $dev_world -p tcp --dport 3306 -j ACCEPT
#iptables -A INPUT -i $dev_world -p udp --dport 3306 -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport ftp -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport ftp-data -j ACCEPT
#iptables -A INPUT -i $dev_world -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $dev_world -p udp --sport 53 -s 212.180.0.137 -j ACCEPT
iptables -A INPUT -i $dev_world -p udp --sport 53 -s 212.180.1.79 -j ACCEPT
iptables -A INPUT -i $dev_world -p udp --dport 123 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -p tcp --dport 50000 -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! $dev_world -j ACCEPT
iptables -A INPUT -i ! lo -j BLOCK
iptables -A BLOCK -j LOG --log-prefix "iptables DROP : "
iptables -A BLOCK -j DROP
#iptables -A INPUT -j HACK
iptables -A HACK -j LOG --log-prefix "iptables HACK : "
iptables -A HACK -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -j ACCEPT
/etc/init.d/ipac-ng start
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-04-06 18:18 CESTAnd so on... going to port number 65301, all are opened :-)
Interesting ports on MyServerIPadress (MyServerIPadress):
PORT STATE SERVICE
1/tcp open tcpmux
2/tcp open compressnet
3/tcp open compressnet
4/tcp open unknown
5/tcp open rje
6/tcp open unknown
7/tcp open echo
8/tcp open unknown
9/tcp open discard
10/tcp open unknown
11/tcp open systat
Just a thought: Are you sure that a connection from the machine you are nmapping from actually passes over the firewall ruleset to get to the server? (It's not clear if you're running your firewall on the server, or as a separate machine). Dave.
-- Robin-Vinet Mathieu |