nmap shows services I'm unaware of

chovy asked:

When I run nmap <host> on my server it says the following ports are open, but my iptables have no rules explicitly allowing them.

135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds

It’s a debian web server running postfix mail server as well.

I don’t see anything specifically in iptables that is allowing these ports.

*nat

# Allow openvpn connections (nat)
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

COMMIT

*filter

# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# This allows all outbound traffic
-A OUTPUT -j ACCEPT

# This will allow HTTP and HTTPS connections from anywhere, this are the normal
# ports used for a web server
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow bittorrent/rtorrent ports, from ~/.rtorrent.rc
-A INPUT -p tcp --dport 8071:8079 -j ACCEPT
-A INPUT -p udp --dport 6881 -j ACCEPT

# Allow tor (the onion router) connections for relay node
-A INPUT -p tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp --dport 9030 -j ACCEPT

# Allow mx connections
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT

# Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow openvpn connections
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -p tcp --dport 1194 -j ACCEPT

# Keep this last line
# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

How are these scannable if my iptables.rules file is not allowing them?
Am I running these services? How do I stop them?

My answer:


Your Internet Service Provider is filtering outbound traffic on those ports. This is very common with residential Internet connections. The block affects Windows NetBIOS and CIFS traffic, and is intended to prevent customers from browsing files on their (poorly secured) neighbors’ computers.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.