[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

re off-topic ports 1720 and 6000-6009 shown even though they should be filtered



>Phill wrote:
>> I know this isn't RHEL support, but I thought I'd ask this question anyways, see if >you gurus know what might be going on. I have a rhel 5 web/ftp server. I'm using >iptables to filter all ports except 21 and 80. Yet if I do an nmap of the server, this >is the output I get.
>> -------------------------------
>> PORT     STATE  SERVICE
>> 21/tcp   open   ftp
>> 80/tcp   open   http
>> 1720/tcp open   H.323/Q.931
>> 6000/tcp closed X11
>> 6001/tcp closed X11:1
>> 6002/tcp closed X11:2
>> 6003/tcp closed X11:3
>> 6004/tcp closed X11:4
>> 6005/tcp closed X11:5
>> 6006/tcp closed X11:6
>> 6007/tcp closed X11:7
>> 6008/tcp closed X11:8
>> 6009/tcp closed X11:9
>> 6017/tcp closed xmail-ctrl
>> 6050/tcp closed arcserve
>> ---------------------------------
>>
>> Note the listening port 1720, netstat shows no service listening
>> Should be irrelevant since the only traffic I'm accepting is  port 21 and port 80, >and related established. Shouldn't this output just show me port 21 and port 80 open >and nothing else?
>>   
>How is your firewall configured?  It appears, from the output, that the
>firewall (I don't know if you're scanning from inside your network or
>outside, so it could be iptables on the server or an external firewall)
>is configured to allow those ports, although the server appears to not
>be answering on those ports.
>
>Making sure that those ports are closed on the firewall, as well, nmap
>won't actually be able to scan them.

>From /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp ip_nat_ftp"

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  372  394K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   2   108 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
   3528  192K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0      state NEW tcp dpt:80 
  176K   19M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 4228 1387K DROP       all  --  *      *       0.0.0.0/0            255.255.255.255     
10218 1177K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68 
 3536  209K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `Dropped INPUT ' 
 3536  209K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `Dropped FORWARD ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  372  394K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 106K  291M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED 
      0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `Dropped OUTPUT ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0  

This machine is on a separate network. I'm connected to this network via ipsec tunnel. I wondered if nmapping through that router might affect the output. You are correct. The network firewall blocks all ports except 21 and 80 from the outside world. So no one outside the network can scan these ports. However, I shouldn't be able to scan them either according to my knowledge of netfilter and iptables rules. I still don't understand what service would be listening on port 1720.



      


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]