I'm having trouble getting a few ports properly blocked.

An example:

Drop rule in WebMin:
If protocol is TCP and input interface is not lo and destination port is 111

Same rule as it appears from iptables -L:
DROP tcp -- anywhere anywhere tcp dpt:sunrpc

This should block all outside connections, but allow connectivity on the localhost. It's not working properly though, it seems.

Testing results:

telnet localhost 111 (From localhost): Can connect and send data
telnet teknews.net 111 (From home desktop): Connection times out
Nessus scan (From Orbit): Port is open, server running.

I'm at a loss to explain it. At first glance, the rule seems to be working perfectly, works from localhost, blocked from remote hosts. But Nessus says it is open.

There are two "accept" rules on the iptables chain, but they both are limited to two specific ports, and so cannot be causing problems.

Any ideas?

Can you provide us with the output of "iptables -L INPUT -n -v"? Perhaps there is a rule above the DROP that permits access.

Just at a guess, you havent done a blanket allow to SM admins have you? that would allow them to see that port 111 is open etc.

Here's the output

I know this dosen't solve your problem but I see many people like yourself with jumbeled together IP tables rules so here is how you can get everything looking nice:

iptables -N TCP
iptables -N UDP
iptables -N ICMP

iptables -A INPUT -p tcp -j TCP
iptables -A INPUT -p udp -j UDP
iptables -A INPUT -p icmp -j ICMP

this will sort incoming traffic by protocol and now you add rules into each protocols chain

Here my rules (still not done with them)

[root@main root]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
TCP tcp -- anywhere anywhere
UDP udp -- anywhere anywhere
ICMP icmp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ICMP (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
DROP icmp -- anywhere anywhere

Chain TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
BAD tcp -- anywhere anywhere

Chain UDP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere

Chain BAD (1 references)
target prot opt source destination
DROP tcp -- c-24-9-236-141.hsd1.co.comcast.net anywhere
DROP tcp -- 219.94.59.242 anywhere
DROP tcp -- 219.94.59.242 anywhere
DROP tcp -- 206.170.247.25 anywhere
DROP tcp -- 82-36-20-12.cable.ubr01.smal.blueyonder.co.uk anywhere
[root@main root]#

Ohh ya and the answer to your problem is nessus isn't connecting to the sunrpc port via TCP, it is connecting via UDP which is still allowed as you have made no rule against it.

[root@main root]# nmap -sU -p 100-120 teknews.net

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on 202.69-93-96.reverse.theplanet.com (69.93.96.202):
(The 20 ports scanned but not shown below are in state: closed)
Port State Service
111/udp open sunrpc

Nmap run completed -- 1 IP address (1 host up) scanned in 16 seconds
[root@main root]#

That will be $350 please. :-)

If you want to block this:

iptables -A INPUT -p udp --dport 111 -j DROP

Nope, Nessus reports port 111 TCP specifically:

"sunrpc (111/tcp)"

So that is not it. I'll add a UDP rule anyhow.