[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Iptables DROP packets but Nmap show the ports opened !!

That’s a correct behavior of iptables. If you want another error behavior use: “ …. –j REJECT –reject-with icmp-host-unreachable”    instead.



From man:



       This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so

       it  is  a  terminating  TARGET, ending rule traversal.  This target is only valid in the INPUT, FORWARD and OUTPUT

       chains, and user-defined chains which are only called from those chains.  The following option controls the nature

       of the error packet returned:


       --reject-with type

              The type given can be






               icmp-host-prohibited or

               icmp-admin-prohibited (*)

              which  return  the  appropriate ICMP error message (port-unreachable is the default).  The option tcp-reset

              can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back.  This

              is  mainly  useful  for  blocking ident (113/tcp) probes which frequently occur when sending mail to broken

              mail hosts (which won't accept your mail otherwise).


       (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT



Saludos. Pablo.



De: Robin-Vinet Mathieu [mailto:robin@elda.org]
Enviado el: Jueves, 06 de Abril de 2006 11:07 a.m.
Para: debian-firewall@lists.debian.org
Asunto: Iptables DROP packets but Nmap show the ports opened !!



I've got a question, about how DROPPED packets are shown to TCP scanners such as Nmap.

I've done an IPtables script wich does what i want it to do, but even if unautorised packets are dropped and logged, when i nmap my server, almost all tcp ports are shown as opened.
Of course, some of those ports are (eg. TCP 80), but others are not (eg. TCP 445), i think it is clearly unsafe, cause hackers knows that there is a server behind those closed ports.
In my mind, a good firewall would show the firewalled TCP ports as "stealth" or "filtered" or in the last "closed", but i'd prefer "stealth".

Is it normal ? If not, do you know how can i solve that ?

Thanks a lot.


Robin-Vinet Mathieu


Reply to: