tcp-reset not working for some ports?

Tarmo Lehtpuu <tarmo@xxxxxxx> · Thu, 30 Oct 2003 04:50:22 +0200

Hi,

I'm having problems properly closing all ports (I don't want a
"stealthy" firewall).

When doing a portscan with nmap the following ports show up
as being filtered:
1:13, 135:139, 445, 1080, 444 (tcp)

I've tried explicitly closing those ports, but that doesn't help either.
Here's the output of iptables-save:

# Generated by iptables-save v1.2.8 on Thu Oct 30 04:09:24 2003
*nat
:PREROUTING ACCEPT [11298:684613]
:POSTROUTING ACCEPT [22074:1005976]
:OUTPUT ACCEPT [11166:569656]
COMMIT
# Completed on Thu Oct 30 04:09:24 2003
# Generated by iptables-save v1.2.8 on Thu Oct 30 04:09:24 2003
*mangle
:PREROUTING ACCEPT [172068:190774880]
:INPUT ACCEPT [172068:190774880]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [119261:7507204]
:POSTROUTING ACCEPT [119261:7507204]
COMMIT
# Completed on Thu Oct 30 04:09:24 2003
# Generated by iptables-save v1.2.8 on Thu Oct 30 04:09:24 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [68119:4428955]
:DUMP - [0:0]
:STATEFUL - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DUMP
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DUMP
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DUMP
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DUMP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 2401 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 49000:49010 -j ACCEPT
-A INPUT -j STATEFUL
-A OUTPUT -o lo -j ACCEPT
-A DUMP -p tcp -j LOG
-A DUMP -p udp -j LOG
-A DUMP -p tcp -j REJECT --reject-with tcp-reset
-A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
-A DUMP -j DROP
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEFUL -i ! eth0 -m state --state NEW -j ACCEPT
-A STATEFUL -j DUMP
COMMIT
# Completed on Thu Oct 30 04:09:24 2003

I'm using Slackware 9.1.0, kernel 2.4.22 with the following modules loaded:

ipt_state
ipt_REJECT
ipt_LOG
iptable_nat
ip_conntrack
iptable_mangle
iptable_filter
ip_tables
ble_mangle

I've googled around quite a bit and looked at the FAQ, but I just couldn't find
an answer to my problem. 
Also I have a fried who has a similar problem, but he claims that random ports show up as filtered every time.
Does anyone have an idea what I might be doing wrong here?
Let me know if you need to know anything else about my setup.

Oh and please cc me on all replies, I'm not subscribed to netfilter.

Thanks,
Tarmo