What's new

How to block the FTP port from showing open on WAN?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Daxx123

Occasional Visitor
First, I'm totally new at this, so hopefully this is a simple solution for the pros here.

My FTP port shows open on port scans, everything else is closed. I have everything FTP turned off in Merlin.

I tried adding to the iptables in the /jffs/scripts/firewall-start:
iptables -A INPUT -p tcp --dport 20 -j DROP
iptables -A INPUT -p tcp --dport 21 -j DROP

iptables -L showed it did load on reboot and was in the INPUT chain, but that didn't work.

Success: I can see your service on XXX.XXX.12.7 on port (21)
Your ISP is not blocking port 21

How should I go about doing this?
 
False positive from your ISP's equipment?

Confirm that nothing is listening on that port with the following command:
Code:
netstat -nlp | grep :21

Check that port isn't being forwarded:
Code:
iptables-save -t nat | grep DNAT
 
Last edited:
False positive from your ISP's equipment?

Confirm that nothing is listening on that port with the following command:
Code:
netstat -nlp | grep :21

Check that port isn't being forwarded:
Code:
iptables-save -t nat | grep DNAT

netstat -nlp | grep :21 returns nothing.

iptables-save -t nat | grep DNAT
Code:
xxxxx@RT-AC86U-1830:/tmp/home/root# iptables-save -t nat | grep DNAT
-A DNSFILTER -j DNAT --to-destination 192.168.50.1
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source B4:AE:2B:AA:3B:32 -j DNAT --to-destination 192.168.50.1:18099
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source FC:77:74:C9:C1:C9 -j DNAT --to-destination 192.168.50.1:18099
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source D0:50:99:A8:D3:E1 -j DNAT --to-destination 192.168.50.1:18099
-A VUPNP -p udp -m udp --dport 4955 -j DNAT --to-destination 192.168.50.87:4955
-A VUPNP -p udp -m udp --dport 4950 -j DNAT --to-destination 192.168.50.87:4950
 
Move it to the top of the list.

Use -I instead of -A to insert at the top.
Just tried that, it didn't work.

And I just stuck it on every chain:
iptables -A INPUT -p tcp --dport 20 -j DROP
iptables -A INPUT -p tcp --dport 21 -j DROP
iptables -A FORWARD -p tcp --dport 20 -j DROP
iptables -A FORWARD -p tcp --dport 21 -j DROP
iptables -A OUTPUT -p tcp --dport 20 -j DROP
iptables -A OUTPUT -p tcp --dport 21 -j DROP

Still shows open.
 
Do you have something on your network opening the FTP port through UPNP? Check on the port forward list, on the System Log page.

If nothing is open or forwarded on your router, then this might be a false alarm.
 
netstat -nlp | grep :21 returns nothing.

iptables-save -t nat | grep DNAT
Code:
xxxxx@RT-AC86U-1830:/tmp/home/root# iptables-save -t nat | grep DNAT
-A DNSFILTER -j DNAT --to-destination 192.168.50.1
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source B4:AE:2B:AA:3B:32 -j DNAT --to-destination 192.168.50.1:18099
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source FC:77:74:C9:C1:C9 -j DNAT --to-destination 192.168.50.1:18099
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source D0:50:99:A8:D3:E1 -j DNAT --to-destination 192.168.50.1:18099
-A VUPNP -p udp -m udp --dport 4955 -j DNAT --to-destination 192.168.50.87:4955
-A VUPNP -p udp -m udp --dport 4950 -j DNAT --to-destination 192.168.50.87:4950
You don't have port 20 or 21 open.
 
Thanks, I think it must be false alarm. I can't find anything.

Port Forwarding log only shows UDP game ports for Warframe 4950 and 4955.
 
Just tried that, it didn't work.

And I just stuck it on every chain:
iptables -A INPUT -p tcp --dport 20 -j DROP
iptables -A INPUT -p tcp --dport 21 -j DROP
iptables -A FORWARD -p tcp --dport 20 -j DROP
iptables -A FORWARD -p tcp --dport 21 -j DROP
iptables -A OUTPUT -p tcp --dport 20 -j DROP
iptables -A OUTPUT -p tcp --dport 21 -j DROP

Still shows open.
You still used -A which puts it at the end of the rules. Use -I to insert to the top.
 
You still used -A which puts it at the end of the rules. Use -I to insert to the top.
I did try -I also. I had the rules at the top, at the bottom, and at one point both top and bottom. Still shows open.

I think it's a false positive coming from my ISP's rural wireless radio equipment, like Colin suggested.
 
I think it's a false positive coming from my ISP's rural wireless radio equipment, like Colin suggested.
If you can use an external (i.e. not from your LAN) connection, e.g. mobile device, you could try connecting to that port and seeing what the banner page shows. If it's your router it should say "Asus". If it's not it'll say something different, e.g.:
Code:
# telnet www.xxx.yyy.zzz:21
220 (vsFTPd 3.0.3)
^C
 
If you can use an external (i.e. not from your LAN) connection, e.g. mobile device, you could try connecting to that port and seeing what the banner page shows. If it's your router it should say "Asus". If it's not it'll say something different, e.g.:
Code:
# telnet www.xxx.yyy.zzz:21
220 (vsFTPd 3.0.3)
^C
Telnet to the ISP radio IP address on port 21 finds a host, opens a black screen, then immediately disconnects me and closes the screen.
 
Thanks everyone, I appreciate all the help in tracing down this FTP open port mystery.

Problem solved.
 
WTH is an ISP device doing with an open port?

These days even for management a port scan shouldn't be able to see that if they use proper management l techniques.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top