iptables: filtered UDP ports are reported as open by nmap

From: Akop Pogosian (akopps+usenet@ocf.berkeley.edu)
Date: 12/21/01 

From: Akop Pogosian <akopps+usenet@ocf.berkeley.edu>
Date: Fri, 21 Dec 2001 11:56:32 +0000 (UTC)

My understanding is that a UDP port is considered closed when the
target machine returns an ICMP port unreachable error when you send
data to it. The IP Filter (IPF) packet filter often used on Solaris
and *BSDs has an option for blocking UDP port while at the same type
sending ICMP port unreachable message. When running command
"nmap -sU -p <port> <target host>", where the target host is a Sun
machine running IPF with this option, nmap reports the port being
closed (as opposed to open or filtered)

On the other hand, I believe, the Linux iptables' "REJECT" target
should also send port unreachable error by default. So, I added a rule
similar to this:

iptables -A local -p udp -dport <port num> -j REJECT

However, when I run nmap scan, the same as above, nmap reports this
port number as "open". I know that for practical purposes this port is
closed to that host but I also would like to fool nmap (and any other
scanners) into thinking that the port is really closed (just like in
case of IPF). Is there a way of doing this with iptables?

Note that running snoop (solaris packet sniffer) on the host that runs
nmap, shows that the scanning host, after having received ICMP port
unreachable error from the Linux machine sends a packet to that UDP
port once again (and the Linux box sends the same ICMP error message
again) while when scanning from the same host a solaris machine
running IPF, the scanning host sends the packet only once and the Sun
machine sends a corresponding port unreachable message and the probe
ends at that point.. strange. 

-- 
Akop Pogosian

This space has been accidentally left blank.

Relevant Pages

  • Re: External drives not installing or working properly on USB
    ... with the USB system before but these disappearred when I disabled the ... Only one of the five host controllers is connected to the 6 ... work on any port on the PC? ... operating system to recognise the four additional 'drives'. ...
    (microsoft.public.windowsxp.general)
  • Re: A firewall wont stop this one
    ... On top of that I implement IPF on each host ... >> for further access control to limit NFS, ... By restricting access to the NFS server. ... >> via port filtering that only allowed specific hosts rather than all. ...
    (alt.computer.security)
  • Re: /etc/hosts.equiv & .rhosts
    ... want to login at another host, that host needs the first host's name ... best to allow key-only login so hackers can't ... on the port 22 as it WILL be messed with all day long. ... # Protocol 2 only ...
    (comp.os.linux.security)
  • Re: REMOTE DESKTOP NOT WORKING ANY LONGER PLEASE HELP!
    ... I understand that you have checked in the registry *which* port is ... Is the host located at your work? ... be a centrally managed GPO which disables Remote Desktop ... Noest MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: REMOTE DESKTOP NOT WORKING ANY LONGER PLEASE HELP!
    ... Yes the host is listening on port 3389 the default and I verified this. ... Try connecting again. ...
    (microsoft.public.windows.terminal_services)
Quantcast