This weekend, I was deploying a new server (thanks Mina). Once deployed, I confirmed that iptables only allowed 21/80/443 traffic, and confirmed:
Sweet! Everything worked. A remote nmap -Pn $serverIp confirmed we were all good.
A few hours and some tinkering later (it was a long weekend, after all), I re-ran nmap from my home network. Imagine my surprise to see ports 21, 554 & 7070 were open! iptables -L confirmed that my default policy was DROP, and I confirmed there were no services running on these ports.
I tethered and re-ran nmap. The ports now showed as closed. Infact, they only showed as open when running the test from my home network, which runs an Apple Airport router.
After googling and using Web Wayback Machine to read (now removed!) Apple support discussions, it turns out Apple Routers try and help. They help you by not even checking to see if a connection can even be obtained. Instead, the connection is reported as granted, and any follow up requests are passed along.
I managed to confirm the ports were actually closed, contary to the ‘help’ offered. If you are wondering why ports 21, 554 & 7070 are sometimes open, hopefully this post sets you at ease.