Why are some ports reported by nmap filtered and not the others

iptablesnmap

I'm scanning a server which should have a pretty simple firewall using iptables: by default everything is DROPped besides RELATED and ESTABLISHED packets. The only type of NEW packets allowed are TCP packets on port 22 and 80 and that's it (no HTTPS on that server).

The result of nmap on the first 2048 ports gives 22 and 80 as open, as I expect. However a few ports appear as "filtered".

My question is: why do port 21, 25 and 1863 appear as "filtered" and the 2043 other ports do not appear as filtered?

I expected to see only 22 and 80 as "open".

If it's normal to see 21,25 and 1863 as "filtered", then why aren't all the other ports appearing as "filtered" too!?

Here's the nmap output:

# nmap -PN 94.xx.yy.zz -p1-2048

Starting Nmap 6.00 ( http://nmap.org ) at 2014-06-12 ...
Nmap scan report for ksXXXXXX.kimsufi.com (94.xx.yy.zz)
Host is up (0.0023s latency).
Not shown: 2043 closed ports
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   open     ssh
25/tcp   filtered smtp
80/tcp   open     http
1863/tcp filtered msnp

I really don't get why I have 2043 closed ports:

Not shown: 2043 closed ports

and not 2046 closed ports.

Here's an lsof launched on the server:

# lsof -i -n
COMMAND   PID USER   FD   TYPE   DEVICE SIZE NODE NAME
named    3789 bind   20u  IPv4     7802       TCP 127.0.0.1:domain (LISTEN)
named    3789 bind   21u  IPv4     7803       TCP 127.0.0.1:953 (LISTEN)
named    3789 bind  512u  IPv4     7801       UDP 127.0.0.1:domain 
sshd     3804 root    3u  IPv4     7830       TCP *:ssh (LISTEN)
sshd     5408 root    3r  IPv4 96926113       TCP 94.xx.yy.zz:ssh->aa.bb.cc.dd:37516 (ESTABLISHED)
sshd     5411    b    3u  IPv4 96926113       TCP 94.xx.yy.zz:ssh->aa.bb.cc.dd:37516 (ESTABLISHED)
java    16589    t   42u  IPv4 88842753       TCP *:http-alt (LISTEN)
java    16589    t   50u  IPv4 88842759       TCP *:8009 (LISTEN)
java    16589    t   51u  IPv4 88842762       TCP 127.0.0.1:8005 (LISTEN)

(note that Java / Tomcat is listening on port 8009 but that port is DROPped by the firewall)

Best Answer

'Filtered port' statement from nmap differs according your scan method.

The standard scan (TCP Scan if unprivileged user, or Half-Open scan -sS if superuser) relies on TCP protocol . (named 3-way hanshake)

A client (you) issues a SYN, if the server replies SYN/ACK : it means that the port is open !
You issue a SYN, if the server replies RST : it means that the port is close !
You issue a SYN, if the server does not reply, or replies with ICMP error : it means that the port is filtered. Likely an IDS / statefull firewall block your request)

To figure what is the real status of the port, you can :

use the -sV, or -A option (version detection, it will help you to determine what is the status of this port.
use --tcp-flags SYN,FIN to try bypassing the fw.
use other scan types (http://nmap.org/book/man-port-scanning-techniques.html)

The excellent "Nmap Network Discovery" book, written by its creator Fyodor explains this very well. I quote

filtered : Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This sort of filtering slows scans down dramatically.

open|filtered : Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

closed|filtered : This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID Idle scan discussed in Section 5.10, "TCP Idle Scan (-sl)

Related Solutions

Doing nmap on a network

172.31.100.0 is the IP address of one of the hosts you scanned. If your network is actually 172.31.96.0/21 (or larger), then 100.0 is a perfectly valid IP address.

172.31.100.0 is part of the pre-CIDR Class B IP space, so you may have gotten a default network of 173.31.0.0/16 if you didn't configure otherwise (and 100.0 completely valid on that network).

If you don't want to scan .0, you can invoke nmap with a range: nmap -sS 172.31.100.1-254.

Iptables: Matching Outgoing Traffic with Conntrack and Owner – Troubleshooting Drops

To cut a long story short, that ACK was sent when the socket didn't belong to anybody. Instead of allowing packets that pertain to a socket that belongs to user x, allow packets that pertain to a connection that was initiated by a socket from user x.

The longer story.

To understand the issue, it helps to understand how wget and HTTP requests work in general.

wget http://cachefly.cachefly.net/10mb.test

wget establishes a TCP connection to cachefly.cachefly.net, and once established sends a request in the HTTP protocol that says: "Please send me the content of /10mb.test (GET /10mb.test HTTP/1.1) and by the way, could you please not close the connection after you're done (Connection: Keep-alive). The reason it does that is because in case the server replies with a redirection for a URL on the same IP address, it can reuse the connection.

Now the server can reply with either, "here comes the data you requested, beware it's 10MB large (Content-Length: 10485760), and yes OK, I'll leave the connection open". Or if it doesn't know the size of the data, "Here's the data, sorry I can't leave the connection open but I'll tell when you can stop downloading the data by closing my end of the connection".

In the URL above, we're in the first case.

So, as soon as wget has obtained the headers for the response, it knows its job is done once it has downloaded 10MB of data.

Basically, what wget does is read the data until 10MB have been received and exit. But at that point, there's more to be done. What about the server? It's been told to leave the connection open.

Before exiting, wget closes (close system call) the file descriptor for the socket. Upon, the close, the system finishes acknowledging the data sent by the server and sends a FIN to say: "I won't be sending any more data". At that point close returns and wget exits. There is no socket associated to the TCP connection anymore (at least not one owned by any user). However it's not finished yet. Upon receiving that FIN, the HTTP server sees end-of-file when reading the next request from the client. In HTTP, that means "no more request, I'll close my end". So it sends its FIN as well, to say, "I won't be sending anything either, that connection is going away".

Upon receiving that FIN, the client sends a "ACK". But, at that point, wget is long gone, so that ACK is not from any user. Which is why it is blocked by your firewall. Because the server doesn't receive the ACK, it's going to send the FIN over and over until it gives up and you'll see more dropped ACKs. That also means that by dropping those ACKs, you're needlessly using resources of the server (which needs to maintain a socket in the LAST-ACK state) for quite some time.

The behavior would have been different if the client had not requested "Keep-alive" or the server had not replied with "Keep-alive".

As already mentioned, if you're using the connection tracker, what you want to do is let every packet in the ESTABLISHED and RELATED states through and only worry about NEW packets.

If you allow NEW packets from user x but not packets from user y, then other packets for established connections by user x will go through, and because there can't be established connections by user y (since we're blocking the NEW packets that would establish the connection), there will not be any packet for user y connections going through.

Best Answer

Related Solutions

Doing nmap on a network

Iptables: Matching Outgoing Traffic with Conntrack and Owner – Troubleshooting Drops

Related Question