Interesting problem. First, I'd suggest trying some different nmap scans, like -sS and -P0, and you could add the -A option for fun (if the ports *are* open, what are the versions?:). If it still reports all those ports being open, do a sanity check, e.g. try to reach services you don't have open such as telnet, etc. All iptables should do is show closed ports as "filtered" in an nmap scan. If your iptables is protecting only this box, I'd suggest you remove the rules and scan the machine again. Since I'm not familiar with all your iptables rules, it is possible that your ruleset is giving nmap some honeypot like results. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Security Architect Pima Community College ________________________________ From: Robin-Vinet Mathieu [mailto:robin@elda.org] Sent: Thursday, April 06, 2006 9:39 AM To: debian-firewall@lists.debian.org Subject: Re: Iptables DROP packets but Nmap show the ports opened !! Hi, Le jeudi 06 avril 2006 à 15:39 +0100, Dave Ewart a écrit : On Thursday, 06.04.2006 at 16:06 +0200, Robin-Vinet Mathieu wrote: > I've got a question, about how DROPPED packets are shown to TCP > scanners such as Nmap. > > I've done an IPtables script wich does what i want it to do, but even > if unautorised packets are dropped and logged, when i nmap my server, > almost all tcp ports are shown as opened. Seeing the appropriate part of your ruleset, and the 'netstat -l' config on the server would be helpful: together with actual nmap output from the other host. Result of the netstat -l : Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:10000 *:* LISTEN tcp 0 0 *:30000 *:* LISTEN tcp 0 0 MyServerName:www *:* LISTEN tcp 0 0 MyServerName:webcache *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:smtp *:* LISTEN udp 0 0 *:10000 *:* udp 0 0 MyServerName:ntp *:* udp 0 0 localhost:ntp *:* udp 0 0 *:ntp *:* Don't know what is the appropriate part of my ruleset, so the total ruleset is : dev_world=eth0 iptables -N BLOCK iptables -N HACK iptables -A INPUT -i $dev_world -s 195.103.160.114 -j HACK iptables -A INPUT -i $dev_world -s 218.21.78.22 -j HACK iptables -A INPUT -i $dev_world -s 221.147.36.6 -j HACK iptables -A INPUT -i $dev_world -s 61.146.77.52 -j HACK iptables -A INPUT -i $dev_world -s 218.15.134.14 -j HACK iptables -A INPUT -i $dev_world -s 211.182.117.130 -j HACK iptables -A INPUT -i $dev_world -s 81.218.22.63 -j HACK iptables -A INPUT -i $dev_world -s 212.211.105.36 -j HACK iptables -A INPUT -i $dev_world -s 211.90.223.186 -j HACK iptables -A INPUT -i $dev_world -s 211.80.59.131 -j HACK #iptables -A INPUT -i $dev_world -m state --state ESTABLISHED,RELATED -j ACCEPT # On autorise les connexions entrantes sur le port TCP 30000 pour acceder à outil nTop iptables -A INPUT -i $dev_world -p tcp --dport 30000 -j ACCEPT iptables -A INPUT -i $dev_world -p tcp --dport ssh -j ACCEPT iptables -A INPUT -i $dev_world -p icmp -j ACCEPT iptables -A INPUT -i $dev_world -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i $dev_world -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i $dev_world -p tcp --dport smtp -j ACCEPT #iptables -A INPUT -i $dev_world -p tcp --dport 3306 -j ACCEPT #iptables -A INPUT -i $dev_world -p udp --dport 3306 -j ACCEPT iptables -A INPUT -i $dev_world -p tcp --dport ftp -j ACCEPT iptables -A INPUT -i $dev_world -p tcp --dport ftp-data -j ACCEPT #iptables -A INPUT -i $dev_world -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i $dev_world -p udp --sport 53 -s 212.180.0.137 -j ACCEPT iptables -A INPUT -i $dev_world -p udp --sport 53 -s 212.180.1.79 -j ACCEPT iptables -A INPUT -i $dev_world -p udp --dport 123 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A INPUT -m state --state NEW -p tcp --dport 50000 -j ACCEPT #iptables -A INPUT -m state --state NEW -i ! $dev_world -j ACCEPT iptables -A INPUT -i ! lo -j BLOCK iptables -A BLOCK -j LOG --log-prefix "iptables DROP : " iptables -A BLOCK -j DROP #iptables -A INPUT -j HACK iptables -A HACK -j LOG --log-prefix "iptables HACK : " iptables -A HACK -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -j ACCEPT /etc/init.d/ipac-ng start Result of the : nmap -sT MyServerIPadress Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-04-06 18:18 CEST Interesting ports on MyServerIPadress (MyServerIPadress): PORT STATE SERVICE 1/tcp open tcpmux 2/tcp open compressnet 3/tcp open compressnet 4/tcp open unknown 5/tcp open rje 6/tcp open unknown 7/tcp open echo 8/tcp open unknown 9/tcp open discard 10/tcp open unknown 11/tcp open systat And so on... going to port number 65301, all are opened :-) Just a thought: Are you sure that a connection from the machine you are nmapping from actually passes over the firewall ruleset to get to the server? (It's not clear if you're running your firewall on the server, or as a separate machine). Dave. Ok. In fact, i'm launching Nmap over internet from my office at work to our hired server protected by Iptables somewhere in France. Thanks. -- Robin-Vinet Mathieu
Attachment:
smime.p7s
Description: S/MIME cryptographic signature