hide filtered ports

When using iptables example rules, we drop packets that don’t match specific criteria with “-j DROP”.

When blocking ports this way, you will still see the port listed as filtered when performing an nmap scan.

3306/tcp filtered mysql

That’s good and all, because the port is inaccessible from the outside, but lets just say we don’t want anyone snooping around and knowing what services are listening at all. Fortunately, we can adjust this -j DROP to -j REJECT –reject-with tcp-reset.

Adjust like so:

# this will show up as filtered
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
 
# change to this, and it won't show up at all unless it's allowed
-A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with tcp-reset

Port scanners like nmap can assume a port is open but filtered if it receives no response at all, which is what happens when -j DROP is used. If a port is entirely unused, it receives a TCP RST packet for a response. The -j REJECT –reject-with tcp-reset option sends just this packet which makes the port scanner conclude the port is not used at all.

(Comments)

Comments