Topic: NMAP vs IPtables

The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

apophys

23 Aug 2007, 23:19

Hello,

I am new to configuring IPtables for linux, I used only the webif firewall interface before.

Here is my problem: I have WhiteRussian 0.9 and I understand that by default all external access to the box is locked (no ports open). However, I used several online port scanners as well as asking a friend for a scan, and all of them revealed quite a large number of ports open.

Here is the output from nmap-online.com:

Nmap Options: -F -T5 -sS 89.37.74.124 -vvvvvvvv

Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2007-08-23 23:01 Central Europe Daylight Time
DNS resolution of 1 IPs took 0.03s.
Initiating SYN Stealth Scan against sacele-89.37.74.124-dynamicIP.tvsnet.ro (89.37.74.124) [1239 ports] at 23:01
Warning: Giving up on port early because retransmission cap hit.
The SYN Stealth Scan took 24.80s to scan 1239 total ports.
Host sacele-89.37.74.124-dynamicIP.tvsnet.ro (89.37.74.124) appears to be up ... good.
Interesting ports on sacele-89.37.74.124-dynamicIP.tvsnet.ro (89.37.74.124):
Not shown: 1232 closed ports
PORT STATE SERVICE
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1720/tcp filtered H.323/Q.931

Nmap finished: 1 IP address (1 host up) scanned in 25.796 seconds
Raw packets sent: 1492 (65.628KB) | Rcvd: 1268 (58.328KB)

Here is the result of netstat -a

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:80                    *:*                     LISTEN
tcp        0      0 *:53                    *:*                     LISTEN
tcp        0      0 *:22                    *:*                     LISTEN
tcp        0      0 *:23                    *:*                     LISTEN
tcp        0      0 hercules:22             192.168.0.2:1310        ESTABLISHED
netstat: no support for `AF INET6 (tcp)' on this system.
udp        0      0 *:1024                  *:*
udp        0      0 localhost:34954         *:*
udp        0      0 *:53                    *:*
udp        0      0 *:67                    *:*
netstat: no support for `AF INET6 (udp)' on this system.
netstat: no support for `AF INET6 (raw)' on this system.
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  7      [ ]         DGRAM                    150    /dev/log
unix  2      [ ]         DGRAM                    609
unix  2      [ ]         DGRAM                    560
unix  2      [ ]         DGRAM                    543
unix  3      [ ]         STREAM     CONNECTED     477
unix  3      [ ]         STREAM     CONNECTED     476
unix  2      [ ]         DGRAM                    163
unix  2      [ ]         DGRAM                    154

and the result from ps

  PID  Uid     VmSize Stat Command
    1 root        356 S   init
    2 root            SW  [keventd]
    3 root            RWN [ksoftirqd_CPU0]
    4 root            SW  [kswapd]
    5 root            SW  [bdflush]
    6 root            SW  [kupdated]
    9 root            SW  [mtdblockd]
   69 root            SWN [jffs2_gcd_mtd4]
   92 root        348 S   syslogd -C 16
   94 root        344 S   logger -s -p 6 -t
   96 root        356 S   init
   98 root        300 S   klogd
  295 root            SW  [khubd]
  359 root            SW  [usb-storage-0]
  360 root            SW  [scsi_eh_0]
  608 root        320 S   wifi up
  647 root        436 S   /usr/sbin/nas -P /var/run/nas.lan.pid -l br0 -H 34954 -i eth2 -A -m 128 -k cucurigu -s Olympus -w 4 -g 3600
  680 root        380 S   udhcpc -i vlan1 -b -p /var/run/vlan1.pid -t 0 -H Hercules -R
  684 root        392 S   /usr/sbin/dropbear
  687 root        368 S   httpd -p 80 -h /www -r Hercules
  693 root        264 S   telnetd -l /bin/login
  699 root        352 S   crond -c /etc/crontabs
  719 nobody      416 S   dnsmasq -K -F 192.168.0.1,192.168.0.253,255.255.255.0,86400 -I vlan1
  729 root        588 R   /usr/sbin/dropbear
  730 root        444 S   -ash
  745 root        344 R   ps

the firewall configuration is unchanged from the default. Can anyone explain to me why does this happen and how to stop it?

Post #2

Borromini

24 Aug 2007, 07:55

Can you show the output of the following:

# netstat -puntl

It should show you which processes are running on these ports.

As for the firewall policy - I think the default policy for incoming requests is DROP instead of REJECT (I might be wrong, I haven't been checking the firewall setup except for the /etc/firewall.user file).

It is quite possible your ISP is blocking those port scans that show up as filtered ports above though. I had the same issue on a box I administer, it runs Linux but showed all strange sorts of MS ports 'filtered' :-/. When I checked with netstat (I replaced the binary to be sure) it only showed SSH listening - quite bizarre. If I took the firewall down I had the same result, the ports still showed up.

Have you done the scan with the firewall disabled?

(Last edited by Borromini on 24 Aug 2007, 07:57)

Post #3

MMCM

24 Aug 2007, 09:20

apophys wrote:

135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1720/tcp filtered H.323/Q.931

Why do you think those ports are open?

http://insecure.org/nmap/man/

Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.

If you take a look at the iptables INPUT table, you can see, unwanted packets are rejected, not simply dropped, so nmap does get some answer back, and that is the reason for "filtered".

root@xxxx:~# iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3200  342K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
2860K 2044M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  188  7520 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp option=!2 flags:0x02/0x02
 140K   38M input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 127K   36M input_wan  all  --  eth0.1 *       0.0.0.0/0            0.0.0.0/0
 130K   37M LAN_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 4315  261K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
 2977  176K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
 109K   35M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

The discussion might have continued from here.

Page 1 of 1