Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Wierd nmap results on standard IPTABLES chain
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jonnevers
Veteran
Veteran


Joined: 02 Jan 2003
Posts: 1594
Location: Gentoo64 land
PostPosted: Fri Sep 12, 2003 7:30 pm    Post subject: Wierd nmap results on standard IPTABLES chain Reply with quote
Hello,

I've been creating some iptables rules and I wanted to test them, so i accessed an external host and

nmap'd my host... the results are a little confusing...


(The 1626 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp filtered imap2
443/tcp open https
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
3306/tcp filtered mysql
4444/tcp filtered krb524
6346/tcp filtered gnutella
6699/tcp filtered napster
8888/tcp filtered sun-answerbook

Nmap run completed -- 1 IP address (1 host up) scanned in 16.868 seconds


the confusing part is
593/tcp filtered http-rpc-epmap

4444/tcp filtered krb524
6346/tcp filtered gnutella
6699/tcp filtered napster
8888/tcp filtered sun-answerbook

i'm not running those services, never have and none of my internal hosts have. nor have i ever explicitly blocked those ports using iptables.

are they standard blocks? or what?

thanks,
Jon
Back to top
View user's profile Send private message
sschlueter
Guru
Guru


Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany
PostPosted: Sun Sep 14, 2003 5:01 am    Post subject: Reply with quote
These ports might be filtered by your ISP (or any router along the way). Port 593 probably is blocked to protect systems against the blaster worm and port 4444 is probably blocked to prevent the blaster worm from spreading.
Back to top
View user's profile Send private message
starbecks
n00b
n00b


Joined: 30 Mar 2003
Posts: 45
PostPosted: Sun Nov 16, 2003 5:26 pm    Post subject: Reply with quote
I'm glad I found this answer. I was kinda freaked out when I nmap'd into my home pc and got this back
Code:
->nmap -P0 xxx.xxx.xxx.xxx

Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-11-16 12:12 EST
Interesting ports on xxx.xxx.xxx.xxx:
(The 1644 ports scanned but not shown below are in state: closed)
PORT    STATE    SERVICE
<snip>
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
<snip>

Nmap run completed -- 1 IP address (1 host up) scanned in 11.141 seconds

I do not run any MS software on that network, nor have I explicitly filtered those ports listed.

sschlueter says my ISP (or any router along the way) is filtering those ports.

That seems like a reasonable response... can anyone confirm/concur?
Back to top
View user's profile Send private message
fleed
l33t
l33t


Joined: 28 Aug 2002
Posts: 756
Location: London
PostPosted: Sun Nov 16, 2003 5:46 pm    Post subject: Reply with quote
You could also do netstat -l and look for those ports... Or nmap from a computer on your external network that doesn't go through your ISP.
Back to top
View user's profile Send private message
starbecks
n00b
n00b


Joined: 30 Mar 2003
Posts: 45
PostPosted: Sun Nov 16, 2003 6:16 pm    Post subject: Reply with quote
Points for quickness (and helpfullness) fleed...

netstat was a good call, thanks. Before I posted, one of the first things I checked was to find out what services were running.

As for nmaping from the inside, I took out my laptop, hooked it into the network, and nmap'd the other local addresses. I got good (expected) results.

The only way to get outside my intranet yet remain inside the extranet is to plug directly into the cable modem. That may help but... I'd have to telnet into my router to see what MAC address my ISP thinks it is talking to... find that NIC.. reconfigure that machine.. I tend to believe sschlueter (read: I'm too lazy)

The only weirdness is when coming from the outside.. so I can deduce the ISP is 'helping us out' by filtering trouble ports. Weirdness makes me paranoid until I understand it... and it stops being weird... and my paranoia turns to apathy.
Back to top
View user's profile Send private message
fleed
l33t
l33t


Joined: 28 Aug 2002
Posts: 756
Location: London
PostPosted: Sun Nov 16, 2003 6:33 pm    Post subject: Reply with quote
It sounds like a bit too much for me too. I'd just trust that's what's happening too.

What you could also try is nmapping a different ip on your ISP to see what you get. Make sure you do it from the same pc as before so you get similar results.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy