4

I'm trying to find out why changing my default iptables policy is affecting what nmap sees when it scans my host.

Consider the following iptables setup:

iptables -F
iptables -A INPUT -p tcp -s 10.1.0.0/20 --dport 22 -j ACCEPT

iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Let's nmap it using nmap -p - 10.1.0.157:

Nmap scan report for 10.1.0.157
Host is up (0.00059s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
111/tcp   open  rpcbind
5672/tcp  open  amqp
46010/tcp open  unknown

As expected, some ports are open. Adding a rule specifically dropping port 111:

iptables -F
iptables -A INPUT -p tcp -s 10.1.0.0/20 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j DROP

iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Results:

Nmap scan report for 10.1.0.157
Host is up (0.00056s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
111/tcp   filtered rpcbind
5672/tcp  open     amqp
46010/tcp open     unknown

Why is 111 showing as filtered? Why is it even showing? If I change the default policy to DROP, I get the following scan results as expected:

Nmap scan report for 10.1.0.157
Host is up (0.00052s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Am I not understanding something about how default policies work within iptables, or is it something to do with nmap?

Ation
  • 43
  • 1
  • 3
  • What is the default scan method for nmap? I can't remember off the top of my head, if its syn scan, is a simple DROP going to stop that when you have a line like "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT", syn is pretending we have a half open connection already so would this rule allow it in? – jwbensley Sep 07 '12 at 13:08

1 Answers1

1

Nmap shows ports for which it receives no response as "filtered". This is the result when a rule or policy is set to "DROP".

The reason port 111 shows up in one output and not the other is in the "Not shown:" line. Whatever the most common port state ("closed" or "filtered", not "open") gets bundled up into that line, with a count. So when the policy is ACCEPT, and nothing is listening (or if the policy were REJECT), the most common state is "closed", meaning a TCP RST packet was received. The DROP rule for port 111 makes it different from the others, so it gets shown.

In the second case, when the default policy is DROP, the result for port 111 is no different than for any other port, so it is lumped in with the others in the "Not shown: 65534 filtered ports" line.

You can get more details on why a port is shown in a particular state by adding the --reason option. Also, turning on debugging with -d will unroll that "Not shown" bundle and show you each port separately (lots of output!).

bonsaiviking
  • 4,355
  • 16
  • 26