iptables doesn't close port 3000?

Question

I wanted to configure iptables on my server in such a way that only specific ports are open. Nevertheless I can access e.g. port 3000, if I run a web app on it. What could be the reason why 3000 is open?

Here is the output of the command iptables -nv -L INPUT

 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
  670  302K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
  187  136K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
   33  1968 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp spt:25 state ESTABLISHED

In my view the table above indicates that only ports 80, 443, 22 and 25 are open, but apparently I am missing something.

UPD. Content of /etc/sysconfig/iptables

# Generated by iptables-save v1.4.21 on ...
*filter
:INPUT ACCEPT [11:812]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:2120]
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
# Completed on ...
# Generated by iptables-save v1.4.21 on ...
*mangle
:PREROUTING ACCEPT [6775:1045434]
:INPUT ACCEPT [6183:992008]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3415:5301713]
:POSTROUTING ACCEPT [3415:5301713]
COMMIT
# Completed on ...
# Generated by iptables-save v1.4.21 on ...
*nat
:PREROUTING ACCEPT [671:58811]
:POSTROUTING ACCEPT [3:243]
:OUTPUT ACCEPT [3:243]
COMMIT
# Completed on ...
# Generated by iptables-save v1.4.21 on ...
*raw
:PREROUTING ACCEPT [6775:1045434]
:OUTPUT ACCEPT [3415:5301713]
COMMIT

UPD. Thanks for the answers, @akhfa and @Iain! Both work for me. It seems that the option to reject is a bit better (e.g. in view of this comparison), so I mark it as the accepted one.

P.S. Now I have a problem that I can no longer ping google from my server, but this probably goes beyond the scope of the original question. P.P.S. Nevermind, in the end I fixed the internet access issue by adding the following rules in the beginning:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED     -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT  -p tcp --sport 53 -m state --state ESTABLISHED     -j ACCEPT

sudo iptables -A INPUT -p icmp -j ACCEPT

If you choose to add reject rule from everywhere in the end of INPUT rule, you must remember not to add ACCEPT rule after the reject rule, because the accept rule will not works :) — akhfa, Dec 27 '15 at 18:57
@akhfa I have already figured this out experimentally, but thanks anyway;) Actually the rule to reject from everywhere is the last one now. And the first rule is `iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`. (Otherwise I was unable to access internet from my server). — Skeeve, Dec 28 '15 at 10:09

user9517 · Accepted Answer · 2015-12-26T09:23:43.480

8

You don't have any rules to block port 3000. Your policy is ACCEPT so port 3000 (like everything else) is open. You could try adding a default drop/reject at the end of your rules, this is common

iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

and should do the job as any packet that gets that far will be rejected and the remote will think noting is listening on that part.

edited Dec 26 '15 at 09:23

answered Dec 25 '15 at 21:42

user9517

114,104
20
206
289

score 6 · Answer 2 · answered Dec 25 '15 at 22:18

6

You can change default policy in INPUT to DROP like this

iptables -P INPUT DROP

and then you can delete all DROP rules in your INPUT chain. You must add ACCEPT rule in every port you want to open if you make this change.

answered Dec 25 '15 at 22:18

akhfa

536
4
4

iptables doesn't close port 3000?

2 Answers2