I'm trying to find out why changing my default iptables policy is affecting what nmap sees when it scans my host.
Consider the following iptables setup:
iptables -F
iptables -A INPUT -p tcp -s 10.1.0.0/20 --dport 22 -j ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Let's nmap it using nmap -p - 10.1.0.157
:
Nmap scan report for 10.1.0.157
Host is up (0.00059s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
5672/tcp open amqp
46010/tcp open unknown
As expected, some ports are open. Adding a rule specifically dropping port 111:
iptables -F
iptables -A INPUT -p tcp -s 10.1.0.0/20 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j DROP
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Results:
Nmap scan report for 10.1.0.157
Host is up (0.00056s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp filtered rpcbind
5672/tcp open amqp
46010/tcp open unknown
Why is 111 showing as filtered? Why is it even showing? If I change the default policy to DROP, I get the following scan results as expected:
Nmap scan report for 10.1.0.157
Host is up (0.00052s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
22/tcp open ssh
Am I not understanding something about how default policies work within iptables, or is it something to do with nmap?