I configured iptables to reject packets that don't match any other rule. Now when doing the Shields Up test for a certain port range, some ports are shown as "closed" and others as "stealth". What could cause this? Shouldn't reject always result in "closed"?

Rejection is done with icmp-port-unreachable so could there be a rate limit for them? It looks like the first ports in the specified range are shown as closed, then follow many "stealth" ports and then either a row of closed ports or a few scattered closed ports among stealths.

I am no networking pro, i believe clised ports are packets which are just dropped.

If you reject a package it sends back a message stating port is closed thus it tells thesender the port is there but not to be used. That is why it shows stealth not closed.

Some ports may be blocked by your ISP.

The other way round.

"closed" are the ones that get a response.
"stealth" are the ones where the packet is dropped and no response is sent.

Thx for clarifying that one!

To troubleshoot this, you could add a logging rule. I.e. a rule that jumps to the LOG target. Perhaps at the beginning of the chain, but also just before the REJECT rule. This way you see what comes into the chain, and what is processed by the REJECT rule.

1 members found this post helpful.

These ports are not blocked by the ISP. I added a logging rule and it shows that all target ports received packets.

Then I added another rule to log outgoing ICMP packets, and it clearly shows that rejection packets were only sent to those ports that appear as closed. So there is apparently a rate limit for those packets. Interestingly, one of the ports that was sent a rejection packet was shown as stealth.


edit: Apparently the rate is limited by the kernel:
http://man7.org/linux/man-pages/man7/icmp.7.html

So I think this is solved.

Thanks for that link and the legwork. I got some reading to do.