[SOLVED] Port scan shows some ports as closed, others as stealth when using reject in iptables
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Port scan shows some ports as closed, others as stealth when using reject in iptables
I configured iptables to reject packets that don't match any other rule. Now when doing the Shields Up test for a certain port range, some ports are shown as "closed" and others as "stealth". What could cause this? Shouldn't reject always result in "closed"?
Rejection is done with icmp-port-unreachable so could there be a rate limit for them? It looks like the first ports in the specified range are shown as closed, then follow many "stealth" ports and then either a row of closed ports or a few scattered closed ports among stealths.
I am no networking pro, i believe clised ports are packets which are just dropped.
If you reject a package it sends back a message stating port is closed thus it tells thesender the port is there but not to be used. That is why it shows stealth not closed.
I am no networking pro, i believe clised ports are packets which are just dropped.
If you reject a package it sends back a message stating port is closed thus it tells thesender the port is there but not to be used. That is why it shows stealth not closed.
The other way round.
"closed" are the ones that get a response.
"stealth" are the ones where the packet is dropped and no response is sent.
I configured iptables to reject packets that don't match any other rule. Now when doing the Shields Up test for a certain port range, some ports are shown as "closed" and others as "stealth". What could cause this? Shouldn't reject always result in "closed"?
Rejection is done with icmp-port-unreachable so could there be a rate limit for them? It looks like the first ports in the specified range are shown as closed, then follow many "stealth" ports and then either a row of closed ports or a few scattered closed ports among stealths.
To troubleshoot this, you could add a logging rule. I.e. a rule that jumps to the LOG target. Perhaps at the beginning of the chain, but also just before the REJECT rule. This way you see what comes into the chain, and what is processed by the REJECT rule.
To troubleshoot this, you could add a logging rule. I.e. a rule that jumps to the LOG target. Perhaps at the beginning of the chain, but also just before the REJECT rule. This way you see what comes into the chain, and what is processed by the REJECT rule.
These ports are not blocked by the ISP. I added a logging rule and it shows that all target ports received packets.
Then I added another rule to log outgoing ICMP packets, and it clearly shows that rejection packets were only sent to those ports that appear as closed. So there is apparently a rate limit for those packets. Interestingly, one of the ports that was sent a rejection packet was shown as stealth.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.