Aplicando essa regra, e executando o nmap temos o seguinte resultado.
┌──(root💀kali)-[/home/user/Desktop]
└─# sudo nmap -sS -Pn 172.16.1.5
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 10:44 EDT
Nmap scan report for 172.16.1.5
Host is up (0.21s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 13.87 seconds
Apenas a porta 22 e 80 aparece aberta. Agora, passando uma porta de origem, podemos burlar isso.
┌──(root💀kali)-[/home/user/Desktop]
└─# sudo nmap -sS -Pn -g 53 172.16.1.5
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 10:57 EDT
Nmap scan report for 172.16.1.5
Host is up (0.21s latency).
Not shown: 979 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp filtered http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
3306/tcp filtered mysql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 7.99 seconds
Com isso, conseguimos atingir serviços que antes não conseguimos, enviando a porta de origem junto.