When you see "filtered" in Nmap output like this:
PORT STATE SERVICE
7000/tcp filtered afs3-fileserver
7001/tcp filtered afs3-callback
This indicates that Nmap received no response from these ports - but crucially, it doesn't tell you what is causing the filtering. The blocking could be coming from:
- Host-based firewall (iptables, Windows Firewall)
- Network firewall/security appliance
- ISP restrictions
- Cloud provider security groups
Here are practical methods to pinpoint the filtering source:
1. Traceroute with TCP SYN
sudo traceroute -T -p 7000 10.1.1.1The -T flag uses TCP SYN packets, which can help identify where in the network path the blocking occurs.
2. Using hping3 for Firewall Testing
sudo hping3 -S -p 7000 -c 3 10.1.1.1This sends SYN packets specifically and shows detailed responses. Common results:
- No reply = likely filtered
- RST reply = port closed
- SYN-ACK = port open
3. Packet Capture with tcpdump
On the target machine (if accessible):
sudo tcpdump -i eth0 'host 10.1.1.1 and port 7000' -w port_filtering.pcapAnalyze the capture to see if packets are reaching the host but being dropped.
For AWS/GCP/Azure environments:
- Check Security Group rules
- Verify Network ACLs
- Inspect VPC flow logs
Example AWS CLI command to check security groups:
aws ec2 describe-security-groups --group-ids sg-12345678 --query 'SecurityGroups[].IpPermissions[]'Python script to test multiple port states:
from scapy.all import *
target = "10.1.1.1"
ports = range(7000,7021)
def port_test(port):
pkt = IP(dst=target)/TCP(dport=port, flags="S")
resp = sr1(pkt, timeout=2, verbose=0)
if resp is None:
return f"{port}: Filtered (no response)"
elif resp.haslayer(TCP):
if resp.getlayer(TCP).flags & 0x12: # SYN-ACK
return f"{port}: Open"
elif resp.getlayer(TCP).flags & 0x14: # RST-ACK
return f"{port}: Closed"
return f"{port}: Unknown state"
for port in ports:
print(port_test(port))- Start with basic Nmap scan to identify filtered ports
- Use traceroute to map the network path
- Test with hping3 to verify firewall behavior
- If possible, check packet capture on target host
- Review cloud security rules if applicable
When Nmap reports ports as "filtered," it indicates the scanner received no response (not even a RST packet) from the target. This typically means either:
- A firewall is actively dropping packets
- Network filtering devices are intercepting traffic
- Routing issues prevent packets from reaching the target
To determine what's actually blocking your traffic, try these methods:
1. TCP Traceroute Analysis
sudo traceroute -T -p 7000 10.1.1.1This helps identify where in the network path the filtering occurs.
2. Firewall Rule Testing with hping3
hping3 -S -p 7000 -c 3 10.1.1.1Analyze responses to determine if packets are being dropped silently or with ICMP messages.
3. Protocol-Specific Connection Attempts
nc -zv 10.1.1.1 7000-7020
telnet 10.1.1.1 7000| Tool | Best For | Sample Command |
|---|---|---|
| Nmap | Initial port scanning | nmap -sS -p- -T4 10.1.1.1 |
| tcpdump | Packet capture analysis | sudo tcpdump -i eth0 host 10.1.1.1 |
| Wireshark | Visual traffic inspection | - |
| iptables | Local firewall rules | sudo iptables -L -n -v |
For our example where ports 7000-7020 show as filtered:
- First verify basic connectivity:
ping 10.1.1.1 - Check if any ports respond differently:
nmap -sA -p 7000-7020 10.1.1.1 - Attempt service-specific connections if you know expected protocols
Key patterns to recognize:
- No response at all → Likely firewall drop rule
- ICMP unreachable → Network device blocking
- TCP RST → Port closed but reachable
- Partial response → Possible deep packet inspection
Consider this Python script using Scapy for advanced analysis:
from scapy.all import *
ans = sr1(IP(dst="10.1.1.1")/TCP(dport=7000,flags="S"),timeout=2)
if ans:
if ans.haslayer(TCP):
if ans.getlayer(TCP).flags == 0x12: # SYN-ACK
print("Port open")
elif ans.getlayer(TCP).flags == 0x14: # RST-ACK
print("Port closed")
else:
print("Received non-TCP response")
else:
print("No response (filtered)")