nmap shows services I'm unaware of

Question

When I run nmap <host> on my server it says the following ports are open, but my iptables have no rules explicitly allowing them.

135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds

It's a debian web server running postfix mail server as well.

I don't see anything specifically in iptables that is allowing these ports.

*nat

# Allow openvpn connections (nat)
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

COMMIT

*filter

# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# This allows all outbound traffic
-A OUTPUT -j ACCEPT

# This will allow HTTP and HTTPS connections from anywhere, this are the normal
# ports used for a web server
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow bittorrent/rtorrent ports, from ~/.rtorrent.rc
-A INPUT -p tcp --dport 8071:8079 -j ACCEPT
-A INPUT -p udp --dport 6881 -j ACCEPT

# Allow tor (the onion router) connections for relay node
-A INPUT -p tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp --dport 9030 -j ACCEPT

# Allow mx connections
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT

# Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow openvpn connections
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -p tcp --dport 1194 -j ACCEPT

# Keep this last line
# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

How are these scannable if my iptables.rules file is not allowing them? Am I running these services? How do I stop them?

When you say "on my server", do you mean that the program is running on your server or that it is running on some other machine and pointed at your server? — David Schwartz, Dec 04 '13 at 22:40
[`filtered`](https://secwiki.org/w/FAQ_filtered) means that no response was received to any probe to this port. — bonsaiviking, Dec 05 '13 at 00:38

Michael Hampton · Accepted Answer · 2013-12-04T23:12:37.513

7

Your Internet Service Provider is filtering outbound traffic on those ports. This is very common with residential Internet connections. The block affects Windows NetBIOS and CIFS traffic, and is intended to prevent customers from browsing files on their (poorly secured) neighbors' computers.

edited Dec 04 '13 at 23:12

answered Dec 04 '13 at 22:31

Michael Hampton

244,070
43
506
972

So this is something with DSL provider at home? Not the server itself? – chovy Dec 04 '13 at 22:33
Right. Your home provider blocks this traffic. Try running the scan from another _server_ out in a real datacenter and you will see the difference. – Michael Hampton Dec 04 '13 at 23:11

nmap shows services I'm unaware of

1 Answers1