nmap showing open ports despite port close

I just set up my iptables with a DROP policy:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p udp -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A fail2ban-ssh -s 115.231.222.176/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN

But when I run nmap many port remains open:

PORT STATE SERVICE
1/tcp open tcpmux
22/tcp open ssh
25/tcp open smtp
79/tcp open finger
80/tcp open http
111/tcp open rpcbind
119/tcp open nntp
143/tcp open imap
443/tcp open https
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open cisco-sccp
6667/tcp open irc
12345/tcp open netbus
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11

Any idea why? Does it represent a security breach?

2 Answers

Iptables operates on incoming or outgoing packets by matching the packet against the set of rules of Iptables. It does not have to do anything with whether a port is open or not.

If the ssh traffic is blocked via the following rule in iptables,

-A INPUT -i eth0 -p tcp --dport 22 -j DROP

then when a packet arrives destined for port 22 will be dropped by the kernel but your computer may actually listening on port 22 because SSH daemon is running on port 22.

To close a port you need to stop the service listening on that port. For example to close port 22, the following will do:

sudo service ssh stop

3

Same happened to me, try to set your computer on the same network segment as the server in question, port scanning via routers can give you some false results.

If you run nmap (nmap -v -A yourIP) from other network segments, ports not opened will be shown with a question (?):

2000/tcp open cisco-sccp

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy