What's new

Port Scan shows open ports but they aren't forwarded in router - iptables questions

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jorgsmash

Senior Member
So I decided to run an external vulnerability scan against my home network. My scanning source computer was connected to my mobile hotspot and I targeted my home ISP IP. The scan came back with several ports open. I tested these same ports with nmap and they also show as open. However, testing the ports from several online port checker tools, they show as closed.

Ports 21, 53, 80, 443, 554 and 1723 are reported as being open on my router. I have a fiber connection going into a Frontier ONT, and the router is connected directly to that. I have Skynet installed and enabled. I have some port forwarding set up, and some OpenNAT rules for gaming, but I double checked and none of those ports listed earlier are in the list.

These are my WAN port forwarding settings:

1639691934624.png



Browsing to my DDNS name via http on the scanning computer (connected to my phone hotspot), I received a 504 Gateway Timeout. "The server is unreachable at this moment." I don't have a web server running so there shouldn't be anything listening on 443, or 80. I don't have those ports forwarded in the router.

I decided to check the router iptables configuration. Here is the iptables -L output:


Code:
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
INPUT_PING  icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
REJECT     udp  --  anywhere             anywhere             udp dpt:ntp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:ntp reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
SECURITY   all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
DNSFILTER_DOT  tcp  --  anywhere             anywhere             tcp dpt:853
logdrop    all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain DNSFILTER_DOT (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             MAC 38:F9:D3:62:FA:02
REJECT     all  --  anywhere            !RT-AX88U-F610.       reject-with icmp-port-unreachable

Chain FUPNP (0 references)
target     prot opt source               destination

Chain ICAccept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ICDrop (0 references)
target     prot opt source               destination
logdrop    all  --  anywhere             anywhere

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere

Chain INPUT_PING (1 references)
target     prot opt source               destination
logdrop    icmp --  anywhere             anywhere

Chain NSFW (1 references)
target     prot opt source               destination

Chain OVPN (2 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
logdrop    all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain default_block (0 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (11 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain other2wan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere


The rules that stick out to me are in the INPUT Chain.

ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW

Should these rules be here? Doesn't that accept all inbound new connections? And why are there duplicates? I'm really trying to get to the bottom of why those ports listed above are showing as open on my WAN IP (They come bask as open using the vuln scanner, and nmap. They come back as closed with several online 3rd party port checker tools.)
 
Add the "-v" flag to your iptables commands, you are not seeing the complete rules.

Personally I doubt you were really scanning from the outside if port 53 was open.
 
I can continue testing, but I don't see how I would have been scanning from inside my network when the scanning computer was connected to my mobile hotspot. Thanks for the reply.

Code:
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   18  1512 INPUT_PING  icmp --  any    any     anywhere             anywhere             icmp echo-request
 505K  530M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
  252 22408 logdrop    all  --  any    any     anywhere             anywhere             state INVALID
21484 2190K PTCSRVWAN  all  --  !br0   any     anywhere             anywhere
 7141  771K PTCSRVLAN  all  --  br0    any     anywhere             anywhere
 7141  771K ACCEPT     all  --  br0    any     anywhere             anywhere             state NEW
 7381 1369K ACCEPT     all  --  lo     any     anywhere             anywhere             state NEW
14103  820K OVPN       all  --  any    any     anywhere             anywhere             state NEW
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
    0     0 INPUT_ICMP  icmp --  any    any     anywhere             anywhere
14103  820K logdrop    all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     udp  --  br0    any     anywhere             anywhere             udp dpt:ntp reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  br0    any     anywhere             anywhere             tcp dpt:ntp reject-with icmp-port-unreachable
47191   15M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 other2wan  all  --  !br0   eth0    anywhere             anywhere
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
   48  1932 logdrop    all  --  any    any     anywhere             anywhere             state INVALID
   21  1080 SECURITY   all  --  eth0   any     anywhere             anywhere
 1745  748K NSFW       all  --  any    any     anywhere             anywhere
 1724  747K ACCEPT     all  --  br0    any     anywhere             anywhere
   21  1080 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
    0     0 OVPN       all  --  any    any     anywhere             anywhere             state NEW
    0     0 DNSFILTER_DOT  tcp  --  br+    any     anywhere             anywhere             tcp dpt:853
    0     0 logdrop    all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 3743 packets, 926K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain ACCESS_RESTRICTION (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DNSFILTER_DOT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  any    any     anywhere             anywhere             MAC 38:F9:D3:62:FA:02
    0     0 REJECT     all  --  any    any     anywhere            !RT-AX88U-F610.       reject-with icmp-port-unreachable

Chain FUPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ICAccept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain ICDrop (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 logdrop    all  --  any    any     anywhere             anywhere

Chain INPUT_ICMP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 RETURN     icmp --  any    any     anywhere             anywhere             icmp timestamp-request
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere

Chain INPUT_PING (1 references)
 pkts bytes target     prot opt in     out     source               destination
   18  1512 logdrop    icmp --  eth0   any     anywhere             anywhere

Chain NSFW (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain OVPN (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PControls (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 logdrop    all  --  any    any     anywhere             anywhere

Chain PTCSRVLAN (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PTCSRVWAN (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain SECURITY (1 references)
 pkts bytes target     prot opt in     out     source               destination
   21  1080 RETURN     tcp  --  any    any     anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
    0     0 logdrop    tcp  --  any    any     anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
    0     0 RETURN     tcp  --  any    any     anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
    0     0 logdrop    tcp  --  any    any     anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
    0     0 RETURN     icmp --  any    any     anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
    0     0 logdrop    icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain default_block (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain logdrop (11 references)
 pkts bytes target     prot opt in     out     source               destination
14421  846K DROP       all  --  any    any     anywhere             anywhere

Chain other2wan (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  tun+   any     anywhere             anywhere
    0     0 logdrop    all  --  any    any     anywhere             anywhere
 
Then something must be wrong with the testing. As you can see, none of these ports are open in the INPUT chain.

Make sure you are seeing them as "open" and not "filtered". Some ISPs will intercept some common ports for security purposes.

You can actually point your browser to see what's coming up from ports 80 or 443.
 
Your iptables rules are normal. The reason you're seeing what looks like duplicate rules is because you didn't specify the -v option.

The apparent open ports are probably false positives caused by your mobile internet provider's equipment.

EDIT: Just seen that @RMerlin had already replied while I was typing my reply.
 
This is what I got when I browsed to my DDNS name in a browser

1639694217875.png


This is the nmap output:

Code:
sudo nmap -Pn -v [removed].asuscomm.com         

[sudo] password for kali:

Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-16 16:43 EST

Initiating Parallel DNS resolution of 1 host. at 16:43

Completed Parallel DNS resolution of 1 host. at 16:43, 0.12s elapsed

Initiating SYN Stealth Scan at 16:43

Scanning [removed].asuscomm.com (47.[removed]) [1000 ports]

Discovered open port 21/tcp on [removed]

Discovered open port 1723/tcp on [removed]

Discovered open port 554/tcp on [removed]

Discovered open port 53/tcp on [removed]

Discovered open port 80/tcp on [removed]

Discovered open port 443/tcp on [removed]

Completed SYN Stealth Scan at 16:43, 4.54s elapsed (1000 total ports)

Nmap scan report for [removed].asuscomm.com ([removed])

Host is up (0.050s latency).

Not shown: 994 filtered tcp ports (no-response)

PORT     STATE SERVICE

21/tcp   open  ftp

53/tcp   open  domain

80/tcp   open  http

443/tcp  open  https

554/tcp  open  rtsp

1723/tcp open  pptp

 

Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 4.92 seconds

           Raw packets sent: 1997 (87.868KB) | Rcvd: 9 (396B)


Thanks for the replies guys.
 
Looks like ISP side equipment to me, they may be intercepting inbound traffic to these ports.
 
Need to test from somewhere else I guess.
 
Need to test from somewhere else I guess.
Won't change the results if your home ISP is the one messing with this, unless it's the mobile provider implementing some form of transparent proxy.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top