Security Scan: Port 80 Closed, Not Blocked

**tomilius** · 27-02-2005, 09:46

I just don't get it. I've spent the last few hours working with iptables... well the last many hours... and I've tried to drop packets heading from the WAN port to tcp port 80 and to my WAN IP address port 80 but nothing has worked. The port appears Closed rather than Blocked on Sygate's Security Scan unless I have a firewall running on my main computer. It's not DMZ'd or anything else, I swear I'm not that much of a newbie, though I do have a lot of ports forwarded to it, and port 20080 on the outside goes to port 80 on the inside... (iptables -A PREROUTING -p tcp -m tcp -d wan_ip --dport 20080 -j DNAT --to-destination 192.168.1.10:80). Not sure if that has anything to do with it.

I've tried any of these:

iptables -A INPUT -p tcp -m tcp -i eth1 --dport 80 -j DROP
iptables -A FORWARD -p tcp -m tcp -i eth1 --dport 80 -j DROP
iptables -A INPUT -p tcp -m tcp -d 68.x.x.x --dport 80 -j DROP
iptables -A FORWARD -p tcp -m tcp -d 68.x.x.x --dport 80 -j DROP

Previously I've tried forwarding everything incoming from the WAN (through Virtual Servers) to port 80 to 0.0.0.0. No luck. It appears Closed on any computer on the network...

I've tried using -I also which should, I believe, make these rules the highest priority? No luck.

UNLESS I have a firewall running on 192.168.1.10 (my main computer)! Then it appears Blocked. I.. don't know why. It's not in my settings at all. I've reset them enough to know.

Let me repeat that it doesn't matter which computer I run the test from. It only matters whether or not the software firewall is running on this specific computer, and I have the same exact firewall running on another one.

So, for example, I can run the scan from a completely different and firewalled computer on the network and port 80 will appear closed. I open the software firewall on 192.168.1.10 and there you go.

Here's my set-up. It's unique but should be self-explanatory:

post-firewall:

Code:

#!/bin/sh
sed 's/wan_ip/'$2'/g' /usr/local/firewall >/tmp/firewall
iptables-restore /tmp/firewall
#rm /tmp/firewall

firewall:

Code:

#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 33770 -j DNAT --to-destination 192.168.1.1:80
# === port forwarding rules
# --Comp0
# VNC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5900 -j DNAT --to 192.168.1.10
# VNC web
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5800 -j DNAT --to 192.168.1.10
# Telnet
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 20023 -j DNAT --to-destination 192.168.1.10:23
# Web
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 20080 -j DNAT --to-destination 192.168.1.10:80
# SSL
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 443 -j DNAT --to 192.168.1.10
# NetMeeting 1
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 1503 -j DNAT --to 192.168.1.10
# NetMeeting 2
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 1720 -j DNAT --to 192.168.1.10
# Reverse VNC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5500 -j DNAT --to 192.168.1.10
# Shareaza
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 13692 -j DNAT --to 192.168.1.10
# WinMX TCP
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 6699 -j DNAT --to 192.168.1.10
# WinMX UDP
-A PREROUTING -p udp -m udp -d wan_ip --dport 6257 -j DNAT --to 192.168.1.10
# ABC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 6881:6999 -j DNAT --to 192.168.1.10

#iptables -A PREROUTING -p tcp -m tcp -d wan_ip --dport 5800 -j DNAT --to 192.168.1.10

# --Comp1
# VNC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5902 -j DNAT --to 192.168.1.12
# VNC web
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5802 -j DNAT --to 192.168.1.12

# --Comp2
# VNC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5901 -j DNAT --to 192.168.1.11
# VNC web
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5801 -j DNAT --to 192.168.1.11
COMMIT

#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [150:10999]
#:OUTPUT ACCEPT [0:0]
:MACS - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:bad_addresses - [0:0]
# Allow any traffic originating locally
-A INPUT -i lo -j ACCEPT
# put in your trusted address here so you can't lock yourself out
-A INPUT -i eth1 -s 192.168.1.11 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
# Weed out bad addresses
-A INPUT -i eth1 -j bad_addresses
# Drop stealth scans
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP
# Allow services that have already been established
-A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Custom services/from firmware
-A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 21 -j ACCEPT
#-A INPUT -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth1 -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -i eth1 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -i eth1 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Restrict ICMP traffic
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type echo-reply              -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type echo-request            -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type time-exceeded           -j ACCEPT
# Log everything else
#-A INPUT -m limit --limit 3 -j LOG
# --- Bad Address tables ---
-A bad_addresses -s 192.168.0.0/255.255.0.0 -j DROP
-A bad_addresses -s 10.0.0.0/255.0.0.0      -j DROP
-A bad_addresses -s 172.16.0.0/12           -j DROP
-A bad_addresses -s 127.0.0.0/8             -j DROP
-A bad_addresses -s 0.0.0.0/8               -j DROP
-A bad_addresses -s 169.254.0.0/16          -j DROP
-A bad_addresses -s 224.0.0.0/4             -j DROP
-A bad_addresses -s 240.0.0.0/5             -j DROP
-A bad_addresses -d 224.0.0.0/4 -p ! udp    -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A INPUT -p tcp -m tcp -i eth1 --dport 80 -j DROP
COMMIT

Firmware: 1.8.1.7-3, happened with all others ever tried.

Oh, and I've tried "-A INPUT -p tcp -m tcp -i eth1 --dport 80 -j DROP" at the top and bottom to rule out precedence issues...

You know what the weirdest part of this is? I'm pretty sure my ISP blocks port 80... Why would it ever be Closed and not Blocked anyway? Why would it ever fluctuate.

Thread: Security Scan: Port 80 Closed, Not Blocked

Thread Tools

Rate This Thread

Display

Threaded View

Security Scan: Port 80 Closed, Not Blocked

Similar Threads

Wifi scan Question?

sygate scan...port 21 closed not blocked ???

Internet is blocked when WL-500 is enabled

protect internal ip address from scan (www.auditmypc.com)

Scan for wlan APs

Posting Permissions