Firewall: verifying open ports

aboaboit · July 18, 2019, 6:07pm

Hi.

Running nmap from a remote server gives this answer:

PORT     STATE    SERVICE
554/tcp  open     rtsp
6881/tcp filtered bittorrent-tracker
7070/tcp open     realserver

port 6881: forwarded to my NAS, yet QTransmission (Transmission for QNAP) keeps complaining the port isn't open. I see the rule in the output of "iptables -t nat -L"

SNAT       tcp  --  192.168.2.0/24       NAS-hostname    tcp dpts:6881:6891 /* !fw3: NAS-hostname - torrent (reflection) */ to:192.168.2.1
SNAT       udp  --  192.168.2.0/24       NAS-hostname    udp dpts:6881:6891 /* !fw3: NAS-hostname - torrent (reflection) */ to:192.168.2.1
DNAT       tcp  --  192.168.2.0/24       WAN-hostname  tcp dpts:6881:6891 /* !fw3: NAS-hostname - torrent (reflection) */ to:192.168.2.3:6881-6891
DNAT       udp  --  192.168.2.0/24       WAN-hostname  udp dpts:6881:6891 /* !fw3: NAS-hostname - torrent (reflection) */ to:192.168.2.3:6881-6891
DNAT       tcp  --  anywhere             anywhere             tcp dpts:6881:6891 /* !fw3: NAS-hostname - torrent */ to:192.168.2.3:6881-6891
DNAT       udp  --  anywhere             anywhere             udp dpts:6881:6891 /* !fw3: NAS-hostname - torrent */ to:192.168.2.3:6881-6891

I've tried narrowing the rule down to just 6881 but the result is the same: may I safely conclude that it is QTransmission that it is wrong? Apparently downloads are fine.

port 554 and 7070 are interesting because my router knows nothing about them: they are not listed in "netstat -a -l -n" nor in "iptables -t nat -L" nor in "iptables -L". Is it my ISP (TIM.it) playing funny tricks with these ports?

EDIT: ops, wrong category, good catch @tmomas

mindwolf · July 19, 2019, 3:01pm

Give nping a try, you can ping to a port using tcp or udp packets to check the status.

trendy · July 19, 2019, 3:14pm

From my experience this "port open report" thing doesn't work.
Better check by yourself with iptables -t nat -L -vn | grep 6881 and see the bytes and packet hit columns.

aboaboit · July 19, 2019, 6:49pm

@trendy good idea!

So, first I looked up what the "NAT reflection" does and disabled it, so the 3 pair of rules get down to just 1.
Next, I reset the counters and tried connecting to 6881/tcp from outside: the counters barely move but they do. Using nc in udp mode I got slightly more visible results.

Using another host in LAN as target, I exposed the local port 22 in turn to 554, 6881 and 7070 on wan and I could get the SSH handshake on all of them. Most definitely, port 6881 is indeed open.

I checked the NAS config and saw I had a rule to allow only connections from LAN: temporarily disabling it resulted in a positive test result in QTransmission.

Considering I don't have the option to allow by port in the NAS, how can I make forwarded connections on port 6881 appear to come from the router?

Any idea why 554 and 7070 show up as open in nmap even when I have no rules referencing them?

trendy · July 19, 2019, 7:48pm

SNAT

Do you run any UPnP/NAT-PMP?
uci show firewall; iptables-save; netstat -lnp | grep 554; netstat -lnp | grep 7070

aboaboit · July 19, 2019, 7:55pm

Together with the current rule or alone?

Unless it comes as default on 18.06.4 (I don't think so) and I have missed it so far, I'd say no.
More importantly, there is no single match for either port in any of those commands' output.

trendy · July 19, 2019, 8:29pm

Standalone

Last time I checked, no, moreover it is considered a bad security practice so it would be a surprise to be included.
Those ports that you saw as open were either open on the firewall or forwarded to some host in the LAN (or nmap was BSing you).

aboaboit · July 20, 2019, 8:40am

I've tried that, it didn't work: since the target is inside the LAN, the router still needs either a route (not gonna happen because of private address space) or a port forwarding. With both rules enabled the test in QTransmission is positive.

This is scanme.nmap.org scanned from my home:

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-20 10:34 CEST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.20s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 9.63 seconds

and this scanned from the same remote server I used to scan my own router:

Starting Nmap 6.47 ( http://nmap.org ) at 2019-07-20 10:33 CEST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.16s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
554/tcp   open  rtsp
7070/tcp  open  realserver
9929/tcp  open  nping-echo
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 8.31 seconds

Yup, sure looks like my (remote) ISP is playing tricks with those ports on outgoing connections.
(yup, I looked up "Vodafone 554 7070" and there are a few reports along those lines).

trendy · July 20, 2019, 8:56pm

Right, my wrong.

I can think of the ISP modem/router replying to these as part of some VoIP/TV implementation.