How to pass the GRC stealth test

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Ivo_K
DD-WRT Novice


Joined: 12 Jan 2018
Posts: 37

PostPosted: Sat Apr 03, 2021 12:19    Post subject: How to pass the GRC stealth test Reply with quote
I am running DD-WRT r45219 on a Linksys WRT1200AC. The ports probe test on GRC.COM reports ports 135,137,139,445 as "Closed" while all others are reported as "Stealth". I have placed the following in my firewall (on the Administration/Firewall page):

iptables -I FORWARD -p tcp -m multiport --dport 135,137,139,445 -j DROP
iptables -I FORWARD -p udp -m multiport --dport 135,137,139,445 -j DROP


This did not help. How can I "stealthify" these ports?
Sponsor
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1410

PostPosted: Sat Apr 03, 2021 17:05    Post subject: Reply with quote
it is very possible that your ISP is automatically closing those ports.

The other thing is that you would need to put those rules on the INPUT chain, because shields up is probing your router's IP which means that it goes to the router. Shields up has no knowledge of anything behind your router that is why NAT acts as a filter/firewall.
Ivo_K
DD-WRT Novice


Joined: 12 Jan 2018
Posts: 37

PostPosted: Sat Apr 03, 2021 17:14    Post subject: Reply with quote
Thanks! I did try the INPUT chain as well, but GRC still reports those ports as "Closed", not "Stealth".

This is the output of iptables -L -v -n for those ports:

    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,137,139,445
    0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,137,139,445


    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,137,139,445
    0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,137,139,445
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Apr 03, 2021 17:37    Post subject: Reply with quote
As @Wildlion stated, it's highly likely your ISP is to blame here. GRC assumes there's nothing blocking those ports between them and the WAN of your router. But many ISPs do block certain well-known ports (particularly the ones you've specified), thus reporting a lack of stealthiness. There's nothing you can do about it. And it doesn't mean YOUR router isn't blocking these ports already. By default, the WAN DROPs all unsolicited inbound requests unless YOU specifically open those ports using port forwarding.

Same thing can happen when using an OpenVPN client. The VPN provider's server has its own firewall, and may very well report a lack of stealthiness w/ GRC too, perhaps for this and/or other ports.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Ivo_K
DD-WRT Novice


Joined: 12 Jan 2018
Posts: 37

PostPosted: Sat Apr 03, 2021 18:51    Post subject: Reply with quote
Many thanks to both of you, @wildlion and @eibgrad, for your kind help. Your explanation stands to reason and is further supported by the fact that a few months ago, with my same router and its setup but a different ISP, I got a straight Stealth verdict from GRC.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Apr 03, 2021 19:13    Post subject: Reply with quote
One other thing to keep in mind. Like many of these firewall testing sites, GRC *only* tests TCP ports, NOT UDP. So even under the best of conditions, the stealthiness they report is NOT a guarantee of complete stealthiness.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Ivo_K
DD-WRT Novice


Joined: 12 Jan 2018
Posts: 37

PostPosted: Sat Apr 03, 2021 21:33    Post subject: Reply with quote
Thanks again. I was not aware of that.
volvy
DD-WRT Novice


Joined: 18 Mar 2017
Posts: 27
Location: USA

PostPosted: Wed Apr 07, 2021 0:10    Post subject: Reply with quote
Do you use Access Restrictions? I ran into a case where using more than 12 of the 15 URL entries available per Policy would unstealth ports, and even leave ports open. Supposed to have been fixed for versions after r46096. I've not tested since before that though.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum