# weird: open ports => iptables

## zbled

Hi everybody,

I'm using an iptables script and changed everything to reject-with anything... when being port scanned, it seems that my ports 53, 67, 111, 137-139 and 445 are open for udp traffic. I'm not running a portmapper, a dns server, there's no windows on my pc anymore etc... there aren't any services running, which need f.eg. a portmapper

 *Quote:*   

> root@heisl  # ls /mnt/.init.d/started/
> 
> backupclock        iptables    modules    serial      net.eth0
> 
> bootmisc   consolefont  keymaps     ntpd       sumtraffic  net.lo
> ...

 

could someone please have a look at my iptables script and tell me, what I'm doing wrong? I guess, it's something to do with the "abweisen" chain.

Thanks in Advance

```

#!/sbin/runscript

depend() {

   need net

}

start() {

ebegin "Loading iptables"

#allgemeines

#modprobe ip_conntrack 

modprobe ip_conntrack_ftp

IPTABLES="/sbin/iptables"

#dynamische kernelparameter setzen

#Erklärungen gibts hier: http://www.linuxguruz.org/iptables/scripts/rc.firewall_010.txt

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do 

   echo "1" > ${interface} 

done 

echo "0" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "0" > /proc/sys/net/ipv4/tcp_timestamps

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout

echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time

echo "0" > /proc/sys/net/ipv4/tcp_window_scaling

echo "0" > /proc/sys/net/ipv4/tcp_sack 

#einträge in der filter tabelle löschen

$IPTABLES -F

$IPTABLES -X

$IPTABLES -t nat -F

$IPTABLES -t nat -X

#standardregeln löschen

$IPTABLES -F INPUT

$IPTABLES -F OUTPUT

$IPTABLES -F FORWARD

#vorerst alles verbieten

$IPTABLES -A INPUT -j DROP

$IPTABLES -A OUTPUT -j DROP

$IPTABLES -A FORWARD -j DROP

#reject

$IPTABLES -N abweisen

$IPTABLES -F abweisen

$IPTABLES -A abweisen -p tcp -j REJECT --reject-with tcp-reset

$IPTABLES -A abweisen -p udp -j REJECT --reject-with icmp-port-unreachable 

$IPTABLES -A abweisen -p icmp -j REJECT --reject-with icmp-port-unreachable

$IPTABLES -A abweisen -j REJECT

#loopback

$IPTABLES -A INPUT -s "127.0.0.1" -i lo -d "127.0.0.1" -j ACCEPT 

$IPTABLES -A OUTPUT -d "127.0.0.1" -o lo -s "127.0.0.1" -j ACCEPT

#eingehende regel

#================

$IPTABLES -A INPUT -m state --state INVALID -j REJECT 

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#icmp

$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#ident

$IPTABLES -A INPUT -p tcp --dport 113 -j abweisen 

#netbios

$IPTABLES -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT

$IPTABLES -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT

#rest verbieten

$IPTABLES -A INPUT -m limit --limit 1/s -j LOG --log-prefix "verboten <= "

$IPTABLES -A INPUT -j abweisen

#ausgehende regel

#================

$IPTABLES -A OUTPUT -m state --state INVALID -j REJECT

$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#dns

for dns in `gawk '/^nameserver/ { print $2 }' /etc/resolv.conf`; do $IPTABLES -A OUTPUT -p udp --dport 53 -d $dns -j ACCEPT; done

#icmp

$IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

#time => ntpd

$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT

#rsync

$IPTABLES -A OUTPUT -p tcp --dport 873 -j ACCEPT

#gaim & irc

$IPTABLES -A OUTPUT -p tcp --dport 1863 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 4000:4100 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 5190 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 5190 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 5050 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 5222 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 6667:7000 -j ACCEPT

#http(s)

$IPTABLES -A OUTPUT -p tcp --dport 80  -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 8000 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT

#ftp, telnet & ssh

$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 23 -j ACCEPT

#mail & news

$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 119  -j ACCEPT

#rest verbieten

$IPTABLES -A OUTPUT -m limit --limit 1/s -j LOG --log-prefix "verboten => "

$IPTABLES -A OUTPUT -j REJECT

#default regel löschen

$IPTABLES -D INPUT 1

$IPTABLES -D FORWARD 1

$IPTABLES -D OUTPUT 1

   eend $? "Failed to load iptables"

}

stop() {

   ebegin "Unloading iptables"

   iptables -F

   iptables -X

   iptables -P INPUT ACCEPT

   iptables -P OUTPUT ACCEPT

   iptables -P FORWARD ACCEPT

   eend $?

}

```

----------

## krt

those ports are set to return a message, you can change the target to "DROP" instead of "REJECT" if you wish to see nothing turn up in a port scan.. i.e.:

from this:

#netbios

$IPTABLES -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT

$IPTABLES -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT 

to this:

#netbios

$IPTABLES -A INPUT -p tcp -i eth0 --dport 137:139 -j DROP

$IPTABLES -A INPUT -p udp -i eth0 --dport 137:139 -j DROP

----------

## zbled

I've changed 137:139 to DROP and added these lines

 *Quote:*   

> 
> 
> $IPTABLES -A INPUT -p udp -i eth0 --dport 53 -j DROP
> 
> $IPTABLES -A INPUT -p udp -i eth0 --dport 67 -j DROP
> ...

 

but the ports still seem to be open... it seems that the iptables script doesn't even guard these ports :( still any ideas?

thanks advance

----------

## leemc

Hi!

 *zbled wrote:*   

> but the ports still seem to be open... it seems that the iptables script doesn't even guard these ports  still any ideas?

 

How do you scan your ports? You won't get useful results when you scan within your network. Let your ports be scanned from the outsite by one of the various web-scanners like at https://grc.com/x/ne.dll?bh0bkyd2 or at http://check.lfd.niedersachsen.de/start.php (German).

Best regards,

leemc

----------

## darktux

 *krt wrote:*   

> those ports are set to return a message, you can change the target to "DROP" instead of "REJECT" if you wish to see nothing turn up in a port scan.. i.e.:
> 
> from this:
> 
> #netbios
> ...

 

A SyN scan will detect the ports either way....

----------

## zbled

 *leemc wrote:*   

> Hi!
> 
>  *zbled wrote:*   but the ports still seem to be open... it seems that the iptables script doesn't even guard these ports :( still any ideas? 
> 
> How do you scan your ports? You won't get useful results when you scan within your network. Let your ports be scanned from the outsite by one of the various web-scanners like at https://grc.com/x/ne.dll?bh0bkyd2 or at http://check.lfd.niedersachsen.de/start.php (German).
> ...

 

I've tried grc, scan.sygate.com (udp) and i've also asked a buddy to use nmap on my ip. grc does no udp-scan. these ports seems to be stealth for a tcp scan, but as stated, the problem is udp :(...

----------

## zbled

I've been scanned again with nmap. Here are the results. Really noone knows, why these ports seem to be open? even if there's no service listening on it - or how to close them anyway?

 *Quote:*   

> Interesting ports on chello*********.vie.surfer.at:
> 
> (The 1441 ports scanned but not shown below are in state: closed)
> 
> Port State Service
> ...

 

 *Quote:*   

> 
> 
> Port State Service
> 
> 53/tcp filtered domain 
> ...

 

Results from iptables -L -n: click

I'm using the wolk kernel (v2.4.20-wolk4.0s-pre9 ). Could it be responsible for this problem?

----------

## water

What happens if you delete/comment all rules after:

```

#vorerst alles verbieten 

$IPTABLES -A INPUT -j DROP 

$IPTABLES -A OUTPUT -j DROP 

$IPTABLES -A FORWARD -j DROP 

```

?

If it works the way it should do, all ports would be blocked. If that is ok, you could add the rules, to open ports, one by one and see what's happening.

----------

## zbled

I've already done that.. I've commented every INPUT rule apart from this one:

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

The Ports were shown as being open anyway.

----------

## leemc

Hi!

 *zbled wrote:*   

> 
> 
> Results from iptables -L -n: click
> 
> Chain INPUT (policy ACCEPT)
> ...

 

IMHO only the second and the third rules are actually working. The second one processes all invalid state packets and sends back an error packet wich indicates the scanner that there is a service running (maybe not at the moment of scanning) at the port specified. I guess that's why your scanner reports them as filtered/open. The third one accepts all related and established packets. Both rules process all incoming packets. So IMHO your LOG-rule won't ever be reached in the chain table. Basically you should place LOG-rules before every rule you want to be logged with the same parameters (man iptables). A possible soltution could be placing the second and third rule to the end of the INPUT table.

Best regards,

leemc

----------

## zbled

thanks for your help, but all rules should be working - including the log, cause it logs a lot ;-).. the only weird thing 's still this damn udp crap 

i really think there's something wrong with the "abweisen" chain

----------

## ragger

nmap and probably other udp port scanners will report a udp port open if it gets no response at all from that port,

since normal closed udp ports respond with a port-unreachable icmp message.

If your firewall silently drops udp packets (not sending icmp error messages)

the udp scanner will think it's an open port and report it as that, even if it's

not really open.

Even if it's not your firewall that is dropping the packets, it can be your isp

filtering some traffic on specific ports to your ip (like mine does).

But the effect will be the same. 

For example try an udp scan on your ip with iptables set to accept all traffic.

If you still get open udp port reports while they're not really open on your pc,

then it's probably your isp filtering those ports and there's no reason for concern.

----------

## zbled

 *ragger wrote:*   

> nmap and probably other udp port scanners will report a udp port open if it gets no response at all from that port,
> 
> since normal closed udp ports respond with a port-unreachable icmp message.
> 
> If your firewall silently drops udp packets (not sending icmp error messages)
> ...

 

Thank you so much, you were absolutely right.. These Ports are being blocked from my provider

----------

