How to configure iptables so an unwanted port is not reported as filtered

Posted on

How to configure iptables so an unwanted port is not reported as filtered – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, security, iptables, tcp, tcpip.

I’d like to stop others from seeing my ports as filtered in the nmap standard scan (unprivileged). Let’s say that I have the following ports open: 22, 3306, 995 and a firewall configured like this:

-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 995 -j DROP

This is the result of an nmap scan:

[+] Nmap scan report for X.X.X.X

    Host is up (0.040s latency).
    Not shown: 90 closed ports

    PORT     STATE    SERVICE
    22/tcp   filtered ssh
    995/tcp  filtered pop3s
    3306/tcp filtered mysql

It displays these ports as filtered, because my server didn’t reply RST for SYN. Is there a way to modify this behaviour? For example: if the iptables firewall blocks a port, reply RST for SYN, instead of remaining silent (not replying anything)?

Solution :

Don’t use DROP, that’s easily identified as “filtered” if you know the box is up. Instead, you may use the following to send a RST. (as if there is a service listening, but it doesn’t accept connections from you)

-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with tcp-reset

Or otherwise simply use the following to make the port look closed. (as if there is no service listening on it)

-A INPUT -p tcp -m tcp --dport 22 -j REJECT

-A INPUT -p tcp -m tcp --dport 995 -j REJECT --reject-with tcp-reset

should be doing what you want (reply with RST).

Leave a Reply

Your email address will not be published.