hi, cause you drop packets. nmap interprets this as filtered. the usual behavior would be "icmp port unreachable" witch causes nmap to show these ports as closed.
try "iptables -P INPUT REJECT" it is not allway good to drop packet. Anyone will know there is most likely a packetfilter in play. so fare my experience. Axel George Georgalis wrote: >Hi All, > >Why does this nmap scan show these ports filtered, not closed? > >50420/tcp filtered unknown >50421/tcp filtered unknown >50422/tcp open unknown >50423/tcp filtered unknown >50424/tcp filtered unknown > >Here are the relevant firewall rules: > >LANIF=eth0 >EXTIF=eth1 >TCP_OPEN="22,25,53,80,113,50422" >UDP_OPEN="22,53" > >iptables -P INPUT DROP >iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp -m multiport --dport >$TCP_OPEN -j ACCEPT >iptables -A INPUT -i $EXTIF -m state --state NEW -p udp -m multiport --dport >$UDP_OPEN -j ACCEPT >iptables -A INPUT -i $LANIF -m state --state NEW -j ACCEPT >iptables -A INPUT -i lo -m state --state NEW -j ACCEPT >iptables -A INPUT -j LOG --log-prefix "INPUT-DROP " > >iptables -P FORWARD DROP >iptables -A FORWARD -i $LANIF -o $EXTIF -j ACCEPT >iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT >iptables -A FORWARD -i $EXTIF -o $LANIF -p tcp --dport 22 -m state --state >NEW,RELATED,ESTABLISHED -j ACCEPT >iptables -A FORWARD -i $LANIF -o $LANIF -p tcp --dport 22 -m state --state >NEW,RELATED,ESTABLISHED -j ACCEPT >iptables -A FORWARD -j LOG --log-prefix "FORWARD-DROP " > >iptables -t nat -A PREROUTING -p tcp --dport 50422 -j DNAT --to-destination >192.168.0.1:22 >iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > >iptables -P OUTPUT ACCEPT > > >Also, I was wondering why a connect from the LAN port 50422 (to the >firewall) does nat to 192.168.0.1:22? It works from the internet.... > >Thanks, >// George > > > >
