RE: Iptables DROP packets but Nmap show the ports opened !!

Thu, 06 Apr 2006 12:15:44 -0700

That’s a correct behavior of iptables. If you want another error behavior use: “ …. –j REJECT –reject-with icmp-host-unreachable”    instead.

 

 

From man:

 

REJECT

       This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so

       it  is  a  terminating  TARGET, ending rule traversal.  This target is only valid in the INPUT, FORWARD and OUTPUT

       chains, and user-defined chains which are only called from those chains.  The following option controls the nature

       of the error packet returned:

 

       --reject-with type

              The type given can be

               icmp-net-unreachable

               icmp-host-unreachable

               icmp-port-unreachable

               icmp-proto-unreachable

               icmp-net-prohibited

               icmp-host-prohibited or

               icmp-admin-prohibited (*)

              which  return  the  appropriate ICMP error message (port-unreachable is the default).  The option tcp-reset

              can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back.  This

              is  mainly  useful  for  blocking ident (113/tcp) probes which frequently occur when sending mail to broken

              mail hosts (which won't accept your mail otherwise).

 

       (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT

 

 

Saludos. Pablo.

 

 

De: Robin-Vinet Mathieu [mailto:[EMAIL PROTECTED]
Enviado el: Jueves, 06 de Abril de 2006 11:07 a.m.
Para: [email protected]
Asunto: Iptables DROP packets but Nmap show the ports opened !!

 

Hi,

I've got a question, about how DROPPED packets are shown to TCP scanners such as Nmap.

I've done an IPtables script wich does what i want it to do, but even if unautorised packets are dropped and logged, when i nmap my server, almost all tcp ports are shown as opened.
Of course, some of those ports are (eg. TCP 80), but others are not (eg. TCP 445), i think it is clearly unsafe, cause hackers knows that there is a server behind those closed ports.
In my mind, a good firewall would show the firewalled TCP ports as "stealth" or "filtered" or in the last "closed", but i'd prefer "stealth".

Is it normal ? If not, do you know how can i solve that ?

Thanks a lot.

Regards,

--
Robin-Vinet Mathieu

 

Reply via email to