Quote:
Originally posted by steve_v
So... If you want to scan port X on a remote machine, you need to unblock port X on yours.
|
This is not true. The outgoing port on the machine where nmap is run does definitely not have to be the same as the one you scan. You would need a
lot of ports open for that
What you do need is a firewall which lets out (in iptables lingo) NEW and, in fact (since nmap can construct really odd packets for certain scan modes), INVALID packets, and lets in ESTABLISHED and (for nmap purposes possibly, for general purposes definitely) RELATED packets. Of course a firewall like this would not be very useful unless you also let out ESTABLISHED and RELATED packets.
This sets up a rudimentary iptables firewall for a stand-alone box not running any services:
Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED,INVALID -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT