Filtered: NMAP Port Scanner Sees Through IPtables Firewall
Ever wondered why port scanners like nmap are able to tell that some of the ports on your server are protected by a firewall? Have a peek at this nmap transcript:
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2006-02-23 22:54 CET Interesting ports on doodah.com (188.8.131.52): (The 1658 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 3306/tcp filtered mysql
I'm quite sure my firewall blocks access to the mysql port. Yet it bugs me that it is possible to tell that I have MySQL installed on my system simply by performing a port scan. Assuming that I am sane and do not filter unused ports [Wait a minute! - This might be good idea, actually ...]
Anyway, how is that possible? The answer lies in the way the firewall (in my case that would be iptables) responds to connection requests. If the firewall rule's target is DROP, the packet will be ignored. Sounds good, doesn't it? Wait! When a connection request arrives at a port at which no application is listening, the operating system responds to that request with a TCP RST packet. This is different to what happens if a connection request is made at port that is filtered using DROP. Thus, a clever port scanner can conclude whether a port is simply unused (a RST response) or filtered (no response).
Right, you say, let's use REJECT instead of DROP. Wrong, I say, because REJECT issues an ICMP Port Unreachable response. Darn it!
So how do we conceal the port properly? Luckily, IPtables has the
--reject-with tcp-reset option that can be used in conjunction with the REJECT target in order to specify that connection requests should be handled using TCP RST, just like a connection to an unused port would be treated. Simply end your firewall rules with
-j REJECT --reject-with tcp-reset
and port scans will report the filtered port as "closed":
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2006-02-23 22:56 CET Interesting ports on doodah.com (184.108.40.206): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 1.374 seconds