I'm trying to find out why changing my default iptables policy is affecting what nmap sees when it scans my host.
Consider the following iptables setup:
iptables -F
iptables -A INPUT -p tcp -s 10.1.0.0/20 --dport 22 -j ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Let's nmap it using nmap -p - 10.1.0.157
:
Nmap scan report for 10.1.0.157
Host is up (0.00059s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
5672/tcp open amqp
46010/tcp open unknown
As expected, some ports are open.
Adding a rule specifically dropping port 111:
iptables -F
iptables -A INPUT -p tcp -s 10.1.0.0/20 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j DROP
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Results:
Nmap scan report for 10.1.0.157
Host is up (0.00056s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp filtered rpcbind
5672/tcp open amqp
46010/tcp open unknown
Why is 111 showing as filtered? Why is it even showing? If I change the default policy to DROP, I get the following scan results as expected:
Nmap scan report for 10.1.0.157
Host is up (0.00052s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
22/tcp open ssh
Am I not understanding something about how default policies work within iptables, or is it something to do with nmap?
Best Answer
Nmap shows ports for which it receives no response as "filtered". This is the result when a rule or policy is set to "DROP".
The reason port 111 shows up in one output and not the other is in the "Not shown:" line. Whatever the most common port state ("closed" or "filtered", not "open") gets bundled up into that line, with a count. So when the policy is ACCEPT, and nothing is listening (or if the policy were REJECT), the most common state is "closed", meaning a TCP RST packet was received. The DROP rule for port 111 makes it different from the others, so it gets shown.
In the second case, when the default policy is DROP, the result for port 111 is no different than for any other port, so it is lumped in with the others in the "Not shown: 65534 filtered ports" line.
You can get more details on why a port is shown in a particular state by adding the
--reason
option. Also, turning on debugging with-d
will unroll that "Not shown" bundle and show you each port separately (lots of output!).