re off-topic ports 1720 and 6000-6009 shown even though they should be filtered
phanback at yahoo.com
phanback at yahoo.com
Wed Mar 18 14:56:56 UTC 2009
>Phill wrote:
>> I know this isn't RHEL support, but I thought I'd ask this question anyways, see if >you gurus know what might be going on. I have a rhel 5 web/ftp server. I'm using >iptables to filter all ports except 21 and 80. Yet if I do an nmap of the server, this >is the output I get.
>> -------------------------------
>> PORT STATE SERVICE
>> 21/tcp open ftp
>> 80/tcp open http
>> 1720/tcp open H.323/Q.931
>> 6000/tcp closed X11
>> 6001/tcp closed X11:1
>> 6002/tcp closed X11:2
>> 6003/tcp closed X11:3
>> 6004/tcp closed X11:4
>> 6005/tcp closed X11:5
>> 6006/tcp closed X11:6
>> 6007/tcp closed X11:7
>> 6008/tcp closed X11:8
>> 6009/tcp closed X11:9
>> 6017/tcp closed xmail-ctrl
>> 6050/tcp closed arcserve
>> ---------------------------------
>>
>> Note the listening port 1720, netstat shows no service listening
>> Should be irrelevant since the only traffic I'm accepting is port 21 and port 80, >and related established. Shouldn't this output just show me port 21 and port 80 open >and nothing else?
>>
>How is your firewall configured? It appears, from the output, that the
>firewall (I don't know if you're scanning from inside your network or
>outside, so it could be iptables on the server or an external firewall)
>is configured to allow those ports, although the server appears to not
>be answering on those ports.
>
>Making sure that those ports are closed on the firewall, as well, nmap
>won't actually be able to scan them.
>From /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp ip_nat_ftp"
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
372 394K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 108 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
3528 192K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
176K 19M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4228 1387K DROP all -- * * 0.0.0.0/0 255.255.255.255
10218 1177K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
3536 209K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `Dropped INPUT '
3536 209K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `Dropped FORWARD '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
372 394K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
106K 291M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `Dropped OUTPUT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
This machine is on a separate network. I'm connected to this network via ipsec tunnel. I wondered if nmapping through that router might affect the output. You are correct. The network firewall blocks all ports except 21 and 80 from the outside world. So no one outside the network can scan these ports. However, I shouldn't be able to scan them either according to my knowledge of netfilter and iptables rules. I still don't understand what service would be listening on port 1720.
More information about the fedora-list
mailing list