bridging and iptables -- strange behaviour

I've noticed some very strange behaviour in my firewall lately. If I
do a port scan on my desktop machine (XP) from a site like
security.symantec.com then I get some open ports listed, such as
25,80,110... These ports aren't open on my machine, fport even says
so. Even if I explicitly block 110 on my firewall the scan reports it
as being open. I'm using Fedora Core 4 with 2.6.11-1 kernel and
iptables to filter traffic over a bridge. When I block 110 I insert a
rule like this:

iptables -I FORWARD 1 -p tcp --dport 110 -j DROP

the packet counters for this rule are incrementing when I port scan, so
packets are matching. Has anyone seen anything like this before??? Is
it possible that something upstream from my firewall is causing this???

Beau

"beau" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> I've noticed some very strange behaviour in my firewall lately. If I
> do a port scan on my desktop machine (XP) from a site like
> security.symantec.com then I get some open ports listed, such as
> 25,80,110... These ports aren't open on my machine, fport even says
> so. Even if I explicitly block 110 on my firewall the scan reports it
> as being open. I'm using Fedora Core 4 with 2.6.11-1 kernel and
> iptables to filter traffic over a bridge. When I block 110 I insert a
> rule like this:
>
> iptables -I FORWARD 1 -p tcp --dport 110 -j DROP
>
> the packet counters for this rule are incrementing when I port scan, so
> packets are matching. Has anyone seen anything like this before??? Is
> it possible that something upstream from my firewall is causing this???
>
> Beau
>

Beau,

I get more aggressive on blocking things at the firewall :-)

KPORT=XXX <- Port you want seriously blocked.

/sbin/iptables -A INPUT -i $EXTINT -p TCP --dport $KPORT -j DROP
/sbin/iptables -A INPUT -i $INTINT -p TCP --sport $KPORT -j DROP
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --dport $KPORT -j DROP
/sbin/iptables -t nat -A PREROUTING -i $INTINT -p TCP --sport $KPORT -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $KPORT -j DROP
/sbin/iptables -A OUTPUT -o $INTINT -p TCP --dport $KPORT -j DROP
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $KPORT -j
DROP
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $KPORT -j DROP
/sbin/iptables -t nat -A POSTROUTING -o $INTINT -p TCP --dport $KPORT -j
DROP
/sbin/iptables -A FORWARD -p TCP --dport $KPORT -j DROP

Enjoy,
Postmaster

On Fri, 03 Feb 2006 22:53:23 GMT, "Postmaster" <postmaster@127.0.0.1> wrote:

> I get more aggressive on blocking things at the firewall :-)
>
>KPORT=XXX <- Port you want seriously blocked.
>
>/sbin/iptables -A INPUT -i $EXTINT -p TCP --dport $KPORT -j DROP
>/sbin/iptables -A INPUT -i $INTINT -p TCP --sport $KPORT -j DROP
>/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP --dport $KPORT -j DROP
>/sbin/iptables -t nat -A PREROUTING -i $INTINT -p TCP --sport $KPORT -j DROP
>/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $KPORT -j DROP
>/sbin/iptables -A OUTPUT -o $INTINT -p TCP --dport $KPORT -j DROP
>/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $KPORT -j
>DROP
>/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $KPORT -j DROP
>/sbin/iptables -t nat -A POSTROUTING -o $INTINT -p TCP --dport $KPORT -j
>DROP
>/sbin/iptables -A FORWARD -p TCP --dport $KPORT -j DROP

What's wrong with simply using policy DROP do all this? Surely
there's no need for explicit DROPping?

IOW: Take what you want, DROP the rest.

Grant.
--
.... The computer scientist, who had listened to all of this said,
"Yes, but where do you think the chaos came from?"

"beau" <(E-Mail Removed)> said:
>I've noticed some very strange behaviour in my firewall lately. If I
>do a port scan on my desktop machine (XP) from a site like
>security.symantec.com then I get some open ports listed, such as
>25,80,110... These ports aren't open on my machine, fport even says
>so.

It could be interesting (and educational) to try to connect to these ports
from somewhere outside your ISPs network. It could be that your ISP is
intercepting the inbound traffic to these ports.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)