[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Iptables DROP packets but Nmap show the ports opened !!

 
 Interesting problem. 

 First, I'd suggest trying some different nmap scans, like -sS and -P0, and
you could add the -A option for fun (if the ports *are* open, what are the
versions?:). If it still reports all those ports being open, do a sanity
check, e.g. try to reach services you don't have open such as telnet, etc. 

  All iptables should do is show closed ports as "filtered" in an nmap scan.
If your iptables is protecting only this box, I'd suggest you remove the
rules and scan the machine again. Since I'm not familiar with all your
iptables rules, it is possible that your ruleset is giving nmap some
honeypot like results. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College
 
 ________________________________

From: Robin-Vinet Mathieu [mailto:robin@elda.org] 
Sent: Thursday, April 06, 2006 9:39 AM
To: debian-firewall@lists.debian.org
Subject: Re: Iptables DROP packets but Nmap show the ports opened !!


Hi,

Le jeudi 06 avril 2006 à 15:39 +0100, Dave Ewart a écrit : 

	On Thursday, 06.04.2006 at 16:06 +0200, Robin-Vinet Mathieu wrote:
	
	> I've got a question, about how DROPPED packets are shown to TCP
	> scanners such as Nmap.
	> 
	> I've done an IPtables script wich does what i want it to do, but
even
	> if unautorised packets are dropped and logged, when i nmap my
server,
	> almost all tcp ports are shown as opened.
	
	Seeing the appropriate part of your ruleset, and the 'netstat -l'
config
	on the server would be helpful: together with actual nmap output
from
	the other host.
	


Result of the netstat -l :


	Active Internet connections (only servers)
	Proto Recv-Q Send-Q Local Address           Foreign Address
State
	tcp        0      0 *:10000                 *:*
LISTEN
	tcp        0      0 *:30000                 *:*
LISTEN
	tcp        0      0 MyServerName:www     *:*
LISTEN
	tcp        0      0 MyServerName:webcache *:*
LISTEN
	tcp        0      0 *:ftp                   *:*
LISTEN
	tcp        0      0 *:ssh                   *:*
LISTEN
	tcp        0      0 *:smtp                  *:*
LISTEN
	udp        0      0 *:10000                 *:*
	udp        0      0 MyServerName:ntp     *:*
	udp        0      0 localhost:ntp           *:*
	udp        0      0 *:ntp                   *:*
	
	

Don't know what is the appropriate part of my ruleset, so the total ruleset
is :



	dev_world=eth0
	
	iptables -N BLOCK
	iptables -N HACK
	
	iptables -A INPUT -i $dev_world -s 195.103.160.114 -j HACK
	iptables -A INPUT -i $dev_world -s 218.21.78.22 -j HACK
	iptables -A INPUT -i $dev_world -s 221.147.36.6 -j HACK
	iptables -A INPUT -i $dev_world -s 61.146.77.52 -j HACK
	iptables -A INPUT -i $dev_world -s 218.15.134.14 -j HACK
	iptables -A INPUT -i $dev_world -s 211.182.117.130 -j HACK
	iptables -A INPUT -i $dev_world -s 81.218.22.63 -j HACK
	iptables -A INPUT -i $dev_world -s 212.211.105.36 -j HACK
	iptables -A INPUT -i $dev_world -s 211.90.223.186 -j HACK
	iptables -A INPUT -i $dev_world -s 211.80.59.131 -j HACK
	
	#iptables -A INPUT -i $dev_world -m state --state
ESTABLISHED,RELATED -j ACCEPT
	
	# On autorise les connexions entrantes sur le port TCP 30000 pour
acceder à outil nTop
	iptables -A INPUT -i $dev_world -p tcp --dport 30000 -j ACCEPT
	
	iptables -A INPUT -i $dev_world -p tcp --dport ssh -j ACCEPT
	iptables -A INPUT -i $dev_world -p icmp -j ACCEPT
	iptables -A INPUT -i $dev_world -p tcp --dport 80 -j ACCEPT
	iptables -A INPUT -i $dev_world -p tcp --dport 8080 -j ACCEPT
	iptables -A INPUT -i $dev_world -p tcp --dport smtp -j ACCEPT
	#iptables -A INPUT -i $dev_world -p tcp --dport 3306 -j ACCEPT
	#iptables -A INPUT -i $dev_world -p udp --dport 3306 -j ACCEPT
	iptables -A INPUT -i $dev_world -p tcp --dport ftp -j ACCEPT
	iptables -A INPUT -i $dev_world -p tcp --dport ftp-data -j ACCEPT
	#iptables -A INPUT -i $dev_world -p tcp --dport 53 -j ACCEPT
	iptables -A INPUT -i $dev_world -p udp --sport 53 -s 212.180.0.137
-j ACCEPT
	iptables -A INPUT -i $dev_world -p udp --sport 53 -s 212.180.1.79 -j
ACCEPT
	
	iptables -A INPUT -i $dev_world -p udp --dport 123 -j ACCEPT 
	
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	#iptables -A INPUT -m state --state NEW -p tcp --dport 50000 -j
ACCEPT
	#iptables -A INPUT -m state --state NEW -i ! $dev_world -j ACCEPT
	
	iptables -A INPUT -i ! lo -j BLOCK
	iptables -A BLOCK -j LOG --log-prefix "iptables DROP : "
	iptables -A BLOCK -j DROP
	
	#iptables -A INPUT -j HACK 
	iptables -A HACK -j LOG --log-prefix "iptables HACK : "
	iptables -A HACK -j DROP
	
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -j ACCEPT
	
	/etc/init.d/ipac-ng start
	


Result of the : nmap -sT MyServerIPadress


	Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-04-06
18:18 CEST
	Interesting ports on MyServerIPadress (MyServerIPadress):
	PORT      STATE    SERVICE
	1/tcp     open     tcpmux
	2/tcp     open     compressnet
	3/tcp     open     compressnet
	4/tcp     open     unknown
	5/tcp     open     rje
	6/tcp     open     unknown
	7/tcp     open     echo
	8/tcp     open     unknown
	9/tcp     open     discard
	10/tcp    open     unknown
	11/tcp    open     systat
	

And so on... going to port number 65301, all are opened :-)



	Just a thought: Are you sure that a connection from the machine you
are
	nmapping from actually passes over the firewall ruleset to get to
the
	server?  (It's not clear if you're running your firewall on the
server,
	or as a separate machine).
	
	Dave.
	


Ok. In fact, i'm launching Nmap over internet from my office at work to our
hired server protected by Iptables somewhere in France. 

Thanks.


-- 
Robin-Vinet Mathieu

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: