iptables – 为什么nmap报告的某些端口被过滤而不是其他端口?

我正在使用iptables扫描一个应该有一个非常简单的防火墙的服务器:默认情况下,除了RELATED和ESTABLISHED数据包外,所有内容都是DROPped.允许的唯一类型的新数据包是端口22和80上的TCP数据包,就是它(该服务器上没有HTTPS).

正如我所料,前2048个端口上的nmap结果为22和80打开.但是,有些端口显示为“已过滤”.

我的问题是:为什么端口21,25和1863显示为“已过滤”,而其他2043个端口未显示为已过滤?

我预计只会看到22和80为“开放”.

如果将21,25和1863视为“已过滤”是正常的,那么为什么并非所有其他端口也显示为“已过滤”!?

这是nmap输出:

# nmap -PN 94.xx.yy.zz -p1-2048

Starting Nmap 6.00 ( http://nmap.org ) at 2014-06-12 ...
Nmap scan report for ksXXXXXX.kimsufi.com (94.xx.yy.zz)
Host is up (0.0023s latency).
Not shown: 2043 closed ports
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   open     ssh
25/tcp   filtered smtp
80/tcp   open     http
1863/tcp filtered msnp

我真的不明白为什么我有2043个关闭的端口:

Not shown: 2043 closed ports

而不是2046个封闭的港口.

这是在服务器上启动的lsof:

# lsof -i -n
COMMAND   PID USER   FD   TYPE   DEVICE SIZE NODE NAME
named    3789 bind   20u  IPv4     7802       TCP 127.0.0.1:domain (LISTEN)
named    3789 bind   21u  IPv4     7803       TCP 127.0.0.1:953 (LISTEN)
named    3789 bind  512u  IPv4     7801       UDP 127.0.0.1:domain 
sshd     3804 root    3u  IPv4     7830       TCP *:ssh (LISTEN)
sshd     5408 root    3r  IPv4 96926113       TCP 94.xx.yy.zz:ssh->aa.bb.cc.dd:37516 (ESTABLISHED)
sshd     5411    b    3u  IPv4 96926113       TCP 94.xx.yy.zz:ssh->aa.bb.cc.dd:37516 (ESTABLISHED)
java    16589    t   42u  IPv4 88842753       TCP *:http-alt (LISTEN)
java    16589    t   50u  IPv4 88842759       TCP *:8009 (LISTEN)
java    16589    t   51u  IPv4 88842762       TCP 127.0.0.1:8005 (LISTEN)

(请注意,Java / Tomcat正在侦听端口8009,但该端口是由防火墙DROPped)

最佳答案
来自nmap的“过滤端口”语句因扫描方法而异.

标准扫描(如果是非特权用户,则为TCP扫描,如果是超级用户,则为半开扫描-sS)依赖于TCP协议. (命名为3路hanshake)

>如果服务器回复SYN / ACK,客户端(您)会发出SYN:这意味着该端口已打开!
>如果服务器回复RST,则发出SYN:表示端口已关闭!
>如果服务器没有回复,则发出SYN,或者回复ICMP错误:表示端口已过滤.可能是IDS / statefull防火墙阻止了您的请求)

要确定端口的实际状态,您可以:

>使用-sV或-A选项(版本检测,它将帮助您确定此端口的状态.
>使用–tcp-flags SYN,FIN尝试绕过fw.
>使用其他扫描类型(http://nmap.org/book/man-port-scanning-techniques.html)

由其创建者Fyodor编写的优秀“Nmap网络发现”一书非常好地解释了这一点.
我引用

filtered : Nmap cannot determine whether the port is open because packet
filtering prevents its probes from reaching the port. The filtering
could be from a dedicated firewall device, router rules, or host-based
firewall software. These ports frustrate attackers because they
provide so little information. Sometimes they respond with ICMP error
messages such as type 3 code 13 (destination unreachable:
communication administratively prohibited), but filters that simply
drop probes without responding are far more common. This forces Nmap
to retry several times just in case the probe was dropped due to
network congestion rather than filtering. This sort of filtering slows
scans down dramatically.

open|filtered :
Nmap places ports in this state when it is unable to
determine whether a port is open or filtered. This occurs for scan
types in which open ports give no response. The lack of response could
also mean that a packet filter dropped the probe or any response it
elicited. So Nmap does not know for sure whether the port is open or
being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans
classify ports this way.

closed|filtered :
This state is used when Nmap is unable to determine
whether a port is closed or filtered. It is only used for the IP ID
Idle scan discussed in Section 5.10, “TCP Idle Scan (-sl)

转载注明原文:iptables – 为什么nmap报告的某些端口被过滤而不是其他端口? - 代码日志