[CentOS] nmap showing lots of ports open that shouldn't be

Sun Feb 12 20:30:07 UTC 2006
Jim Bassett <jim at datamantic.com>

On Feb 12, 2006, at 3:22 PM, Craig White wrote:

> On Sun, 2006-02-12 at 15:17 -0500, jim at datamantic.com wrote:
>> I have a  CentOS 4.2 machine. lokkit shows that a firewall is
>> enabled, and it is customized to allow SSH, Web, and DNS traffic  
>> only.
>>
>> But if I run nmap against the server IP (from my home machine,
>> outside the local network) it shows over 1000 open ports. Am I not
>> understanding nmap, or is there something seriously wrong here?
>>
>> Here is a small snip of the nmap output (I can include it all if that
>> is helpful, but it is quite long):
>>
>> (The 202 ports scanned but not shown below are in state: closed)
>> PORT      STATE SERVICE
>> 1/tcp     open  tcpmux
>> 2/tcp     open  compressnet
>> 3/tcp     open  compressnet
>> 4/tcp     open  unknown
>> 5/tcp     open  rje
>> 6/tcp     open  unknown
>> 7/tcp     open  echo
>> 8/tcp     open  unknown
>> 9/tcp     open  discard
>> 11/tcp    open  systat
>> 12/tcp    open  unknown
>> 13/tcp    open  daytime
>> 14/tcp    open  unknown
>> 15/tcp    open  netstat
>> 16/tcp    open  unknown
>> 17/tcp    open  qotd
>> 20/tcp    open  ftp-data
>> 22/tcp    open  ssh
>> 24/tcp    open  priv-mail
>> 25/tcp    open  smtp
>> 26/tcp    open  unknown
> ----
> might as well get a root shell and type...
>
> iptables -L
>
> and see what's up with that.
>
> Craig
>

Thanks for the response. Any advice on understanding this is  
appreciated.

[root at ash ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt: 
5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state  
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state  
NEW tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            state  
NEW udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state  
NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state  
NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state  
NEW tcp dpt:http
REJECT     all  --  anywhere             anywhere            reject- 
with icmp-host-prohibited