LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-27-2015, 05:20 PM   #1
Ormu
Member
 
Registered: Jun 2011
Posts: 92

Rep: Reputation: 15
Port scan shows some ports as closed, others as stealth when using reject in iptables


I configured iptables to reject packets that don't match any other rule. Now when doing the Shields Up test for a certain port range, some ports are shown as "closed" and others as "stealth". What could cause this? Shouldn't reject always result in "closed"?

Rejection is done with icmp-port-unreachable so could there be a rate limit for them? It looks like the first ports in the specified range are shown as closed, then follow many "stealth" ports and then either a row of closed ports or a few scattered closed ports among stealths.
 
Old 11-27-2015, 07:59 PM   #2
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 7.1
Posts: 735

Rep: Reputation: 154Reputation: 154
I am no networking pro, i believe clised ports are packets which are just dropped.

If you reject a package it sends back a message stating port is closed thus it tells thesender the port is there but not to be used. That is why it shows stealth not closed.
 
Old 11-27-2015, 08:01 PM   #3
Emerson
LQ Sage
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~amd64
Posts: 7,661

Rep: Reputation: Disabled
Some ports may be blocked by your ISP.
 
Old 11-27-2015, 08:14 PM   #4
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,873

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Quote:
Originally Posted by ericson007 View Post
I am no networking pro, i believe clised ports are packets which are just dropped.

If you reject a package it sends back a message stating port is closed thus it tells thesender the port is there but not to be used. That is why it shows stealth not closed.
The other way round.

"closed" are the ones that get a response.
"stealth" are the ones where the packet is dropped and no response is sent.
 
Old 11-27-2015, 10:05 PM   #5
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 7.1
Posts: 735

Rep: Reputation: 154Reputation: 154
Thx for clarifying that one!
 
Old 11-27-2015, 10:13 PM   #6
berndbausch
LQ Addict
 
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316

Rep: Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002
Quote:
Originally Posted by Ormu View Post
I configured iptables to reject packets that don't match any other rule. Now when doing the Shields Up test for a certain port range, some ports are shown as "closed" and others as "stealth". What could cause this? Shouldn't reject always result in "closed"?

Rejection is done with icmp-port-unreachable so could there be a rate limit for them? It looks like the first ports in the specified range are shown as closed, then follow many "stealth" ports and then either a row of closed ports or a few scattered closed ports among stealths.
To troubleshoot this, you could add a logging rule. I.e. a rule that jumps to the LOG target. Perhaps at the beginning of the chain, but also just before the REJECT rule. This way you see what comes into the chain, and what is processed by the REJECT rule.
 
1 members found this post helpful.
Old 11-28-2015, 11:59 AM   #7
Ormu
Member
 
Registered: Jun 2011
Posts: 92

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Emerson View Post
Some ports may be blocked by your ISP.
Quote:
Originally Posted by berndbausch View Post
To troubleshoot this, you could add a logging rule. I.e. a rule that jumps to the LOG target. Perhaps at the beginning of the chain, but also just before the REJECT rule. This way you see what comes into the chain, and what is processed by the REJECT rule.
These ports are not blocked by the ISP. I added a logging rule and it shows that all target ports received packets.

Then I added another rule to log outgoing ICMP packets, and it clearly shows that rejection packets were only sent to those ports that appear as closed. So there is apparently a rate limit for those packets. Interestingly, one of the ports that was sent a rejection packet was shown as stealth.


edit: Apparently the rate is limited by the kernel:
http://man7.org/linux/man-pages/man7/icmp.7.html

So I think this is solved.

Last edited by Ormu; 11-28-2015 at 12:05 PM.
 
Old 11-28-2015, 01:05 PM   #8
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 7.1
Posts: 735

Rep: Reputation: 154Reputation: 154
Thanks for that link and the legwork. I got some reading to do.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IP Tables shows port open, nmap shows port closed tkinsella Linux - Security 4 09-12-2014 03:43 AM
Port scan shows ports open despite default iptables rule to DROP welshdemon Linux - Security 18 02-17-2014 08:30 AM
How does stealth port scan protection work? roll84 Linux - Software 3 05-20-2012 11:25 AM
reject all ip & ports and allow only some ports with iptables ysar68 Linux - Security 1 05-12-2007 09:50 PM
Port Scan: Closed Port instead of Stealth unihiekka Linux - Security 9 12-26-2005 09:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration