Iptables and nmap

Thyagaraj03
Thyagaraj03 used Ask the Experts™
on
The following are my iptable rules on a ubuntu cloud server:

cat /etc/iptables.rules:
*filter   
:INPUT DROP [598:41912]  
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [456:35354] 
-A INPUT -i lo -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT  
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT  
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 22 -j ACCEPT  
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -j DROP
COMMIT

Open in new window


When I checkd with nmap tool the following ports are listed as open
#nmap server-ip
 
Not shown: 987 closed ports 

PORT         STATE    SERVICE
21/tcp        open     ftp
22/tcp        open     ssh
25/tcp        open     smtp
53/tcp        open     domain
80/tcp        open     http
111/tcp       open     rpcbind
135/tcp       filtered msrpc
139/tcp       filtered netbios-ssn
389/tcp       open     ldap
445/tcp       filtered microsoft-ds
10000/tcp      open     java-or-OTGfileshare
2401/tcp      open     cvspserver
3306/tcp      open     mysql

Nmap done: 1 IP address (1 host up) scanned in 17.46 seconds

Open in new window

why these many ports are shown as open. I'm clear that these services are running on the server but how it could list or connect(ftp) these ports when it is not included in the iptable rules?.

The following script will be running at every 5 mins on cloud servers to update their iptables for the dyndns domain name:

 
#!/bin/bash
#
# A script to update iptable records for dynamic dns hosts.
# Written by: Dave Horner (http://dave.thehorners.com)
# Released into public domain.
#
# Run this script in your cron table to update ips.
#
# You might want to put all your dynamic hosts in a sep. chain.
# That way you can easily see what dynamic hosts are trusted.
#
# create the chain in iptables.
 /sbin/iptables -N dynamichosts
# insert the chain into the input chain @ the head of the list.
 /sbin/iptables -I INPUT 1 -j dynamichosts
# flush all the rules in the chain
 /sbin/iptables -F dynamichosts

HOST=$1
HOSTFILE="/root/host-$HOST"
CHAIN="dynamichosts"  # change this to whatever chain you want.
IPTABLES="/sbin/iptables"

# check to make sure we have enough args passed.
if [ "${#@}" -ne "1" ]; then
    echo "$0 hostname"
    echo "You must supply a hostname to update in iptables."
    exit
fi

# lookup host name from dns tables
IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`
if [ "${#IP}" = "0" ]; then
    echo "Couldn't lookup hostname for $HOST, failed."
    exit
fi

OLDIP=""
if [ -a $HOSTFILE ]; then
    OLDIP=`cat $HOSTFILE`
    # echo "CAT returned: $?"
fi

# save off new ip.
echo $IP>$HOSTFILE

echo "Updating $HOST in iptables."
if [ "${#OLDIP}" != "0" ]; then
    echo "Removing old rule ($OLDIP)"
    `$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`
fi
echo "Inserting new rule ($IP)"
`$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`

Open in new window


This is the output of "ipables -L" on the cloud server.
 
dynamichosts  all  --  anywhere             anywhere            
dynamichosts  all  --  anywhere             anywhere            
dynamichosts  all  --  anywhere             anywhere            
dynamichosts  all  --  anywhere             anywhere            
dynamichosts  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere tcp dpt:www
ACCEPT     all  --  anywhere             anywhere state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere state RELATED,ESTABLISHED 
ACCEPT     tcp  --  APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in  anywhere tcp dpt:ssh 
ACCEPT     tcp  --  APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:10000 
ACCEPT     tcp  --  APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in  anywhere tcp dpt:mysql 
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain dynamichosts (937 references)
target     prot opt source               destination         
ACCEPT     all  --  Telemedia-AP-dynamic-145.86.175.59.airtelbroadband.in  anywhere

Open in new window


Here the airtelbroadband is mine(dyndns domainname). I'm sure the script is allowing all ports for the dyndns domain name(the last line of the script). When I checked with nmap from outside, only allowed ports are listed. I'm afraid to edit the script that if I lock my self. Any help...?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
Where are you running nmap from?  Is it the same computer that you are scanning?

Author

Commented:
No.  I ran nmap from outside and it listed only open ports and its fine here. But my office uses dynamic public ip address, for this reason I'm using a script and scheduled it on cloud servers to update iptables rules for the dyn dns domain name(my office). When I ran nmap from my office systems, all the ports are listed instead of only allowed ports for the dyndns domain name. I'm sure that I've to edit the script(especially the last line of the script) and it allows access to all the ports on and the iptable rules for dyndns domain are useless. I don't know how to edit this script and afraid to do so
Software Engineer
Distinguished Expert 2018
Commented:
iptables -L -v shows a tad more detail.
iptables -L -nv shows numeric info only. (no name translations for ports & IP addresses).

In your output there are 5 rules first, does allow anything regardless.
Those are not mentioned in your iptables.rules but come from running the setup script 5 times.

Also: in  iptables.rules line 8 is redundant as line 7 is a more generic case & taken first.

Instead only update your dynamic host chain and have the
INPUT queue accept the dynamic host chain as target: ie: use this as iptables.rules:

---8<---
*filter  
:INPUT DROP [598:41912]  
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [456:35354]
:dynamichost - [0:0]
-A INPUT -i lo -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT  
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
-A INPUT -m state --state NEW  -p tcp -m tcp --dport 22 -j dynamichost  
-A INPUT -m state --state NEW  -p tcp -m tcp --dport 3306 -j dynamichost
-A INPUT -m state --state NEW  -p tcp -m tcp --dport 10000 -j dynamichost
-A INPUT -j DROP
-A INPUT -s mycompany.dyndns.com -j ACCEPT
COMMIT
---8<---


---8<---
#!/bin/bash
#
# A script to update iptable records for dynamic dns hosts.
# Written by: Dave Horner (http://dave.thehorners.com)
# Released into public domain.
#
# Run this script in your cron table to update ips.
#
# You might want to put all your dynamic hosts in a sep. chain.
# That way you can easily see what dynamic hosts are trusted.
#
# flush all the rules in the chain  - Also removes ALL allowed hosts there.....???
 /sbin/iptables -F dynamichosts

HOST=$1
HOSTFILE="/root/host-$HOST"
CHAIN="dynamichosts"  # change this to whatever chain you want.
IPTABLES="/sbin/iptables"

# check to make sure we have enough args passed.
if [ "${#@}" -ne "1" ]; then
    echo "$0 hostname"
    echo "You must supply a hostname to update in iptables."
    exit
fi

# lookup host name from dns tables
IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`
if [ "${#IP}" = "0" ]; then
    echo "Couldn't lookup hostname for $HOST, failed."
    exit
fi

OLDIP=""
if [ -a $HOSTFILE ]; then
    OLDIP=`cat $HOSTFILE`
    # echo "CAT returned: $?"
fi

# save off new ip.
echo $IP>$HOSTFILE

echo "Updating $HOST in iptables."
if [ "${#OLDIP}" != "0" ]; then       # not needed because of Flush ... or Flush at start is not needed....
    echo "Removing old rule ($OLDIP)"
    `$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`
fi
echo "Inserting new rule ($IP)"
`$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`
---8<---

Author

Commented:
I would like to accept the solution

Author

Commented:
It's already resolved

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial