Re: Iptables DROP packets but Nmap show the ports opened !!

To: debian-firewall@lists.debian.org
Subject: Re: Iptables DROP packets but Nmap show the ports opened !!
From: Robin-Vinet Mathieu <robin@elda.org>
Date: Thu, 06 Apr 2006 18:38:49 +0200
Message-id: <[🔎] 1144341529.8950.47.camel@localhost>
In-reply-to: <[🔎] 20060406143918.GB6686@sungate.co.uk>
References: <[🔎] 1144332417.8979.12.camel@localhost> <[🔎] 20060406143918.GB6686@sungate.co.uk>

Hi,

Le jeudi 06 avril 2006 à 15:39 +0100, Dave Ewart a écrit :

On Thursday, 06.04.2006 at 16:06 +0200, Robin-Vinet Mathieu wrote:

> I've got a question, about how DROPPED packets are shown to TCP
> scanners such as Nmap.
> 
> I've done an IPtables script wich does what i want it to do, but even
> if unautorised packets are dropped and logged, when i nmap my server,
> almost all tcp ports are shown as opened.

Seeing the appropriate part of your ruleset, and the 'netstat -l' config
on the server would be helpful: together with actual nmap output from
the other host.

Result of the netstat -l :

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:10000                 *:*                     LISTEN
tcp        0      0 *:30000                 *:*                     LISTEN
tcp        0      0 MyServerName:www     *:*                     LISTEN
tcp        0      0 MyServerName:webcache *:*                     LISTEN
tcp        0      0 *:ftp                   *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 *:smtp                  *:*                     LISTEN
udp        0      0 *:10000                 *:*
udp        0      0 MyServerName:ntp     *:*
udp        0      0 localhost:ntp           *:*
udp        0      0 *:ntp                   *:*

Don't know what is the appropriate part of my ruleset, so the total ruleset is :

dev_world=eth0

iptables -N BLOCK
iptables -N HACK

iptables -A INPUT -i $dev_world -s 195.103.160.114 -j HACK
iptables -A INPUT -i $dev_world -s 218.21.78.22 -j HACK
iptables -A INPUT -i $dev_world -s 221.147.36.6 -j HACK
iptables -A INPUT -i $dev_world -s 61.146.77.52 -j HACK
iptables -A INPUT -i $dev_world -s 218.15.134.14 -j HACK
iptables -A INPUT -i $dev_world -s 211.182.117.130 -j HACK
iptables -A INPUT -i $dev_world -s 81.218.22.63 -j HACK
iptables -A INPUT -i $dev_world -s 212.211.105.36 -j HACK
iptables -A INPUT -i $dev_world -s 211.90.223.186 -j HACK
iptables -A INPUT -i $dev_world -s 211.80.59.131 -j HACK

#iptables -A INPUT -i $dev_world -m state --state ESTABLISHED,RELATED -j ACCEPT

# On autorise les connexions entrantes sur le port TCP 30000 pour acceder à outil nTop
iptables -A INPUT -i $dev_world -p tcp --dport 30000 -j ACCEPT

iptables -A INPUT -i $dev_world -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -i $dev_world -p icmp -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport smtp -j ACCEPT
#iptables -A INPUT -i $dev_world -p tcp --dport 3306 -j ACCEPT
#iptables -A INPUT -i $dev_world -p udp --dport 3306 -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport ftp -j ACCEPT
iptables -A INPUT -i $dev_world -p tcp --dport ftp-data -j ACCEPT
#iptables -A INPUT -i $dev_world -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $dev_world -p udp --sport 53 -s 212.180.0.137 -j ACCEPT
iptables -A INPUT -i $dev_world -p udp --sport 53 -s 212.180.1.79 -j ACCEPT

iptables -A INPUT -i $dev_world -p udp --dport 123 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -p tcp --dport 50000 -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! $dev_world -j ACCEPT

iptables -A INPUT -i ! lo -j BLOCK
iptables -A BLOCK -j LOG --log-prefix "iptables DROP : "
iptables -A BLOCK -j DROP

#iptables -A INPUT -j HACK
iptables -A HACK -j LOG --log-prefix "iptables HACK : "
iptables -A HACK -j DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -j ACCEPT

/etc/init.d/ipac-ng start

Result of the : nmap -sT MyServerIPadress

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-04-06 18:18 CEST
Interesting ports on MyServerIPadress (MyServerIPadress):
PORT      STATE    SERVICE
1/tcp     open     tcpmux
2/tcp     open     compressnet
3/tcp     open     compressnet
4/tcp     open     unknown
5/tcp     open     rje
6/tcp     open     unknown
7/tcp     open     echo
8/tcp     open     unknown
9/tcp     open     discard
10/tcp    open     unknown
11/tcp    open     systat

And so on... going to port number 65301, all are opened :-)

Just a thought: Are you sure that a connection from the machine you are
nmapping from actually passes over the firewall ruleset to get to the
server?  (It's not clear if you're running your firewall on the server,
or as a separate machine).

Dave.

Ok. In fact, i'm launching Nmap over internet from my office at work to our hired server protected by Iptables somewhere in France.

Thanks.

--
Robin-Vinet Mathieu

Reply to:

Follow-Ups:
- Re: Iptables DROP packets but Nmap show the ports opened !!
  - From: Dave Ewart <davee@sungate.co.uk>

References:
- Iptables DROP packets but Nmap show the ports opened !!
  - From: Robin-Vinet Mathieu <robin@elda.org>
- Re: Iptables DROP packets but Nmap show the ports opened !!
  - From: Dave Ewart <davee@sungate.co.uk>

Prev by Date: Re: Iptables DROP packets but Nmap show the ports opened !!
Next by Date: RE: Iptables DROP packets but Nmap show the ports opened !!
Previous by thread: Re: Iptables DROP packets but Nmap show the ports opened !!
Next by thread: Re: Iptables DROP packets but Nmap show the ports opened !!
Index(es):
- Date
- Thread