nmap扫描的问题

一枝梅花压海棠

远程扫描测试一个外网服务器 服务器iptables 入方向只允许ssh访问，其他端口和服务都没开，但是扫描出来结果如下

[root@oracle ~]# nmap -v 157.52.110.227
Starting Nmap 5.51 ( http:、、//nmap.org ) at 2016-01-09 13:31 CST
Initiating Ping Scan at 13:31
Scanning 157.52.110.227 [4 ports]
Completed Ping Scan at 13:31, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:31
Completed Parallel DNS resolution of 1 host. at 13:31, 0.00s elapsed
Initiating SYN Stealth Scan at 13:31
Scanning 157.52.110.227 [1000 ports]

Discovered open port 22/tcp on 157.52.110.227
Discovered open port 1720/tcp on 157.52.110.227
Discovered open port 8888/tcp on 157.52.110.227
Discovered open port 3389/tcp on 157.52.110.227
Discovered open port 3306/tcp on 157.52.110.227
Discovered open port 443/tcp on 157.52.110.227
Discovered open port 80/tcp on 157.52.110.227
Discovered open port 25/tcp on 157.52.110.227
Discovered open port 554/tcp on 157.52.110.227
Discovered open port 445/tcp on 157.52.110.227
Discovered open port 110/tcp on 157.52.110.227
Discovered open port 5087/tcp on 157.52.110.227
Discovered open port 10003/tcp on 157.52.110.227
Discovered open port 5802/tcp on 157.52.110.227
Discovered open port 62078/tcp on 157.52.110.227
Discovered open port 146/tcp on 157.52.110.227
Discovered open port 9503/tcp on 157.52.110.227
Discovered open port 512/tcp on 157.52.110.227
Discovered open port 1154/tcp on 157.52.110.227
Discovered open port 56737/tcp on 157.52.110.227
Discovered open port 1080/tcp on 157.52.110.227
Discovered open port 497/tcp on 157.52.110.227
Discovered open port 51493/tcp on 157.52.110.227
Discovered open port 1048/tcp on 157.52.110.227
Discovered open port 44176/tcp on 157.52.110.227
Discovered open port 2048/tcp on 157.52.110.227
Discovered open port 7800/tcp on 157.52.110.227
Discovered open port 34571/tcp on 157.52.110.227
Discovered open port 32770/tcp on 157.52.110.227
Discovered open port 3031/tcp on 157.52.110.227
Discovered open port 8093/tcp on 157.52.110.227
Discovered open port 903/tcp on 157.52.110.227
Discovered open port 1026/tcp on 157.52.110.227
Discovered open port 88/tcp on 157.52.110.227
Discovered open port 50003/tcp on 157.52.110.227
Discovered open port 1521/tcp on 157.52.110.227
Discovered open port 13456/tcp on 157.52.110.227
Discovered open port 1068/tcp on 157.52.110.227
Discovered open port 1533/tcp on 157.52.110.227
Discovered open port 427/tcp on 157.52.110.227
Discovered open port 9/tcp on 157.52.110.227
Discovered open port 6112/tcp on 157.52.110.227
Discovered open port 9877/tcp on 157.52.110.227
Discovered open port 1641/tcp on 157.52.110.227
Discovered open port 1119/tcp on 157.52.110.227
Discovered open port 2049/tcp on 157.52.110.227
Discovered open port 5825/tcp on 157.52.110.227
Discovered open port 8002/tcp on 157.52.110.227
Discovered open port 2605/tcp on 157.52.110.227
Discovered open port 4900/tcp on 157.52.110.227
Discovered open port 1000/tcp on 157.52.110.227
Discovered open port 1151/tcp on 157.52.110.227
Discovered open port 3269/tcp on 157.52.110.227
Discovered open port 1761/tcp on 157.52.110.227

（以上IP都是经过修改的）

远程服务器iptables配置如下
[huangwb@localhost ~]$ sudo service iptables status
表格：filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           （这个是针对环回接口的）
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
4    DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         


几乎端口都显示是开放的 而且Telnet测试端口也通的，那么问题来了 这样iptables 为何没有起作用，而且Telnet测试后再扫描的话 显示端口有关闭了

[root@oracle ~]# nmap -v 157.52.110.227

Starting Nmap 5.51 ( http://、、、nmap.org ) at 2016-01-09 14:56 CST
Initiating Ping Scan at 14:56
Scanning 157.52.110.227  [4 ports]
Completed Ping Scan at 14:56, 3.01s elapsed (1 total hosts)
Nmap scan report for 157.52.110.227 [host down]
Read data files from: /usr/share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds
           Raw packets sent: 8 (304B) | Rcvd: 0 (0B)


过段时候在扫描又显示全都open，反复出现好多次了 哪位大侠帮忙分析下原因啊

lyhabc

我一般只用INPUT链
很少用prerouting ，postrouting，forward，output

一枝梅花压海棠

INUPUT 链我写的应该没有问题啊 就是挡不住Telnet回复 2# lyhabc


   

haooooaaa

写得是没问题，不过应该改改，


Chain INPUT (policy ACCEPT)

应该默认 DROP

yyu0378

楼上正解，字数补丁

lyhabc

加个drop吧，在OUTPUT链，我一般用nc命令来扫端口
nc -z -w 2 192.168.2.6 80

Chain OUTPUT (policy ACCEPT)

一枝梅花压海棠

我在INPUT链的最后写了一条DROP策略，这样和你说的效果应该是一样的啊 回复 4# haooooaaa


   

haooooaaa

回复 7# 一枝梅花压海棠


    有顺序的，

一般是

1. iptables -P INPUT DROP
   
2. iptables -P OUTPUT ACCEPT
   
3. iptables -P FORWARD ACCEPT

复制代码

INPUT 默认 DROP

一枝梅花压海棠

iptables -P INPUT DROP 是默认策略 意思是input链中的所有具体规则都不匹配然后采用的默认策略，我的在INPUT链的具体规则最后一条已经写了DROP掉任意源到任意目的的所有协议的包，所有数据包到此已经处理完毕，因此不需要执行默认策略，不管他是accept还是drop都不起作用，不知道我的理解对不对回复 8# haooooaaa


   

一枝梅花压海棠

这个问题搞不定了