Table of Contents
URL: https://www.progressiverobot.com/opening-a-port-on-linux/
Introduction
A _port_ is a communication endpoint. Within an operating system, a port is opened or closed to data packets for specific processes or network services.
Typically, ports identify a specific network service assigned to them. This can be changed by manually configuring the service to use a different port, but, in general, the defaults can be used.
The first 1024 ports (port numbers 0 to 1023) are referred to as _well-known port numbers_ and are reserved for the most commonly used services. These include SSH (port 22), HTTP (port 80), HTTPS (port 443).
Port numbers above 1023 are commonly used for user or application-defined services. Ephemeral ports are a subset of these ports and are dynamically assigned to client connections.
- Port numbers
1024to49151are called the _registered/user ports_. - Port numbers
49152to65535are called the _dynamic/private ports_.
In this tutorial, you will open a non-well-known (user/registered) port on Linux, since the most common services use the well-known ports.
[info] Deploy your applications from GitHub using an app platform. Let the cloud provider focus on scaling your app.
[info] Key Takeaways:
- Linux ports act as communication endpoints, with well-known ports reserved for common services and higher-numbered ports typically used by user-defined applications.
- Before opening a new port, you should always verify existing open and listening ports using tools such as
netstator the modernsscommand. - Opening a port on Linux requires configuring the system firewall, using
ufw,firewalld, oriptablesdepending on the distribution. - Firewall rule behavior can vary based on default policies, making rule order especially important when using
iptables. - Successfully opening a port does not guarantee connectivity unless a service is actively listening on that port, which can be tested using tools like
nc,telnet, ornmap. - Firewall changes may be temporary unless explicitly persisted, so additional steps are required to ensure ports remain open after a system reboot.
List All Open Ports
Before opening a port on Linux, you must check the list of all open ports, and choose a user or application-defined port to open that is not on that list.
Use the netstat command to list all open ports, including _TCP_ and _UDP_, which are the most common protocols for packet transmission at the transport layer.
netstat -lntu
This will print:
- all _listening_ sockets (
-l) - the port _number_ (
-n) - _TCP ports_ (
-t) - _UDP ports_ (
-u)
[secondary_label Output]
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 ::1:5432 :::* LISTEN
tcp6 0 0 ::1:6379 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
<!–
–>
Note: If your distribution doesn't have netstat, you can use the ss command to display open ports by checking for listening sockets.
Verify that you are receiving consistent outputs using the ss command to list listening sockets with an open port:
ss -lntu
This will print:
[secondary_label Output]
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:5432 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:27017 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:6379 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::1]:5432 0.0.0.0:*
tcp LISTEN 0 128 [::1]:6379 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 0.0.0.0:*
<!–
–>
This displays the same open ports as netstat.
Opening a Port on Linux to Allow TCP Connections
Now, open a closed port and make it listen for TCP connections.
For the purposes of this tutorial, you will be opening port 4000. However, if that port is not open in your system, feel free to choose another closed port. Just make sure that it's greater than 1023.
Ensure that port 4000 is not used using the netstat command:
netstat -na | grep <^>:4000<^>
Or the ss command:
ss -na | grep <^>:4000<^>
The output must remain blank, thus verifying that it is not currently used, so that you can add the port rules manually to the _system iptables firewall_.
For Ubuntu Users and ufw-based Systems
Use ufw – the command line client for the Uncomplicated Firewall.
Your commands will resemble:
sudo ufw allow <^>4000<^>
Refer to How to Setup a ufw Firewall on Ubuntu for more details.
For CentOS and firewalld-based Systems
Use firewall-cmd – the command line client for the firewalld daemon.
Your commands will resemble:
sudo firewall-cmd --add-port=<^>4000<^>/tcp
Refer to How to Set Up firewalld on CentOS for more details.
For Other Linux Distributions
Use iptables to change the system IPv4 packet filter rules.
iptables -A INPUT -p tcp --dport <^>4000<^> -j ACCEPT
If your system uses a default DROP policy for the INPUT chain, rule order matters. In such cases, you may need to insert the rule near the top of the chain using -I instead of appending it with -A.
Refer to How To Set Up A Firewall Using iptables for more details.
Test the Newly Opened Port for TCP Connections
Now that you have successfully opened a new TCP port, it is time to test it.
For testing purposes, start netcat (nc) and listen (-l) on port (-p) 4000, while sending the output of ls to any connected client:
ls | nc -l -p <^>4000<^>
Now, after a client has opened a TCP connection on port 4000, they will receive the output of ls. Leave this session alone for now.
Open another terminal session on the same machine.
Since you opened a TCP port, use telnet to check for TCP connectivity. If the command doesn't exist, install it using your package manager.
Input your server IP and the port number (4000 in this example) and run this command:
telnet <^>localhost<^> <^>4000<^>
This command tries to open a TCP connection on localhost on port 4000.
You'll get an output similar to this, indicating that a connection has been established with the listening program (nc):
[secondary_label Output]
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
while.sh
<!–
–>
The output of ls (while.sh, in this example) has also been sent to the client, indicating a successful TCP connection.
Use nmap to check if the port (-p) is open:
nmap <^>localhost<^> -p <^>4000<^>
This command will check the open port:
[secondary_label Output]
Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-18 21:51 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
4000/tcp open remoteanything
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
<!–
–>
The port has been opened. You have successfully opened a new port on your Linux system.
Note: nmap only lists opened ports that currently have a listening application. If you don't use any listening application, such as netcat, this will display the port 4000 as closed since there isn't any application listening on that port currently. Similarly, telnet won't work either since it also needs a listening application to bind to. This is the reason why nc is such a useful tool. This simulates a listening service using a simple command.
But this is only temporary, as the changes will be reset every time you reboot the system.
Persisting Rules
The approach presented in this article will only temporarily update the firewall rules until the system shuts down or reboots. So similar steps must be repeated to open the same port again after a restart.
For ufw Firewall
ufw rules do not reset on reboot. This is because it is integrated into the boot process, and the kernel saves the firewall rules using ufw by applying appropriate config files.
For firewalld
If you want to add the port to the firewall's persistent configuration and apply the changes immediately, you can use the --permanent and --reload flags:
sudo firewall-cmd --permanent --add-port=4000/tcp
sudo firewall-cmd --reload
Refer to How to Set Up firewalld for more details.
For iptables
You will need to install additional tooling, such as iptables-persistent, to save and restore firewall rules across reboots.
Refer to How To Set Up a Firewall Using iptables for more details.
Opening Ports Using Different Tools
Using iptables to open specific ports
To open a specific port using iptables, you can use the following command:
sudo iptables -A INPUT -p tcp --dport <port_number> -j ACCEPT
Replace <port_number> with the actual port number you want to open. For example, to open port 4000, you would use:
sudo iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
This command adds a new rule to the INPUT chain to allow incoming TCP traffic on the specified port.
Managing ports with ufw (Uncomplicated Firewall) on Debian/Ubuntu systems
To open a port using ufw, you can use the following command:
sudo ufw allow <port_number>
Replace <port_number> with the actual port number you want to open. For example, to open port 4000, you would use:
sudo ufw allow 4000
This command adds a new rule to allow incoming traffic on the specified port.
Utilizing firewalld for port management on RHEL/CentOS systems
To open a port using firewalld, you can use the following command:
sudo firewall-cmd --add-port=<port_number>/tcp --permanent
sudo firewall-cmd --reload
Replace <port_number> with the actual port number you want to open. For example, to open port 4000, you would use:
sudo firewall-cmd --add-port=4000/tcp --permanent
sudo firewall-cmd --reload
The first command adds a new rule to allow incoming TCP traffic on the specified port, and the second command reloads the firewall configuration to apply the changes.
Checking Open Ports
Commands to list currently open ports
To list currently open ports, you can use the following commands:
netstat:
netstat -lntu
ss:
ss -lntu
This command will display all listening sockets, including the protocol, local address, foreign address, state, and the PID/Program name of the process that is listening on the socket.
nc(Netcat):
nc -z -v -n localhost 1-1024
This command will scan a range of ports on the localhost to check if they are open or not.
Verifying firewall rules and active services
To verify firewall rules and active services, you can use the following commands:
iptables:
sudo iptables -L
ufw:
sudo ufw status
firewalld:
sudo firewall-cmd --list-all
These commands will display the current firewall configuration, including the rules and services that are allowed or blocked.
Common Errors and Debugging
Addressing issues when ports remain closed after configuration
If a port remains closed after configuration, it may be due to a variety of reasons, including:
- The firewall service is not running or is not configured correctly.
- The port is already in use by another service or process.
- The configuration changes have not been applied or have been overridden by another configuration.
To troubleshoot this issue, you can try the following steps:
- Check the firewall service status and ensure it is running.
- Use tools like
netstatorssto verify if the port is already in use. - Review the firewall configuration files to ensure the changes have been applied correctly.
If the port is still not open, you can try the following troubleshooting steps:
- Check the system logs for any firewall-related errors.
- Temporarily disable the firewall to determine whether the port opens. If it does, there may be a rule blocking the port.
- Check for any other firewall management tools that may be conflicting with the current configuration.
Ensuring firewall services are active and correctly configured
To ensure firewall services are active and correctly configured, you can follow these steps:
- Check the firewall service status using commands like
systemctl status ufworsystemctl status firewalld. - Verify that the firewall service is enabled to start automatically on boot using commands like
systemctl enable ufworsystemctl enable firewalld. - Review the firewall configuration files to ensure they are correctly configured and up-to-date.
If the firewall service is not running or not configured correctly, you can try the following troubleshooting steps:
- Restart the firewall service.
- Check for any errors in the firewall configuration files.
- Verify that the correct ports are open in the firewall rules.
Checking for conflicts with other firewall management tools
To check for conflicts with other firewall management tools, you can follow these steps:
- Identify all firewall management tools installed on the system, including
iptables,ufw, andfirewalld. - Verify that only one firewall management tool is active and configured to manage the firewall rules.
- Disable or remove any conflicting firewall management tools to ensure a single tool is managing the firewall rules.
If you are still experiencing issues, you can try the following troubleshooting steps:
- Check for any other services or processes that may be using the port.
- Review the system logs for any errors related to the port.
- If the port is being used by a different service, consider reconfiguring that service to use a different port.
Comparison of Different Firewall Tools: Pros and Cons of iptables, ufw, and firewalld for Opening Ports
| Tool | Description | Pros | Cons | Example Command |
|---|---|---|---|---|
| iptables | A command-line utility for configuring network packet filtering rules. | Highly customizable, powerful, and flexible. | Steeper learning curve, complex syntax. | sudo iptables -A INPUT -p tcp --dport 4000 -j ACCEPT |
| ufw | A simple, easy-to-use command-line utility for managing a netfilter firewall. | Easy to use, simple syntax, and user-friendly. | Limited customization options, not as powerful as iptables. | sudo ufw allow 4000 |
| firewalld | A dynamic daemon to manage firewall rules. | Easy to use, dynamic configuration, and supports zones. | Can be complex to manage for advanced users. | sudo firewall-cmd --add-port=4000/tcp --permanent |
The example commands used above are for opening port 4000 for TCP connections.
FAQs
1. How do I open a port in Linux?
To open a port in Linux, you need to configure your firewall to allow incoming traffic on that port. The steps to do this vary depending on the firewall software you're using. Here are examples for ufw, firewalld, and iptables:
- For
ufw(Uncomplicated Firewall):sudo ufw allow <port_number> - For
firewalld:sudo firewall-cmd --add-port=<port_number>/tcp --permanent && sudo firewall-cmd --reload - For
iptables:sudo iptables -A INPUT -p tcp --dport <port_number> -j ACCEPT
Replace <port_number> with the actual port number you want to open.
2. How to check if port 443 is open in Linux?
To check if port 443 is open in Linux, you can use the netstat or ss command to list all open ports, including TCP and UDP. Here's how:
- Using
netstat:netstat -lntu | grep 443 - Using
ss:ss -lntu | grep 443
If port 443 is open, you should see it listed in the output.
3. How to check if port 22 is open in Linux?
To check if port 22 is open in Linux, you can use the netstat, ss, or nc command to list all open ports, including TCP and UDP. Here's how:
If port 22 is open, you should see it listed in the output.
- Using
netstat:netstat -lntu | grep 22 - Using
ss:ss -lntu | grep 22 - Using
nc:nc -z -v -n localhost 22
4. How to check if a port is open?
To check if a port is open in Linux, you can use the netstat or ss command to list all open ports, including TCP and UDP. Here's how:
- Using
netstat:netstat -lntu | grep <port_number> - Using
ss:ss -lntu | grep <port_number>
Replace <port_number> with the actual port number you want to check. If the port is open, you should see it listed in the output.
5. How to open 22 port in Linux?
Port 22 is commonly used for SSH connections and is often open on systems where the SSH service is enabled. If it's not open, you can follow the steps to open a port in Linux (FAQ 1) and replace <port_number> with 22. Here are the specific commands to open port 22:
- For
ufw:sudo ufw allow 22 - For
firewalld:sudo firewall-cmd --add-port=22/tcp --permanent && sudo firewall-cmd --reload - For
iptables:sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
6. Can I open a range of ports instead of a single port?
Yes, you can open a range of ports instead of a single port. The steps to do this vary depending on the firewall software you're using. Here are examples for ufw, firewalld, and iptables:
- For
ufw(Uncomplicated Firewall):sudo ufw allow <start_port>:<end_port> - For
firewalld:sudo firewall-cmd --add-port=<start_port>-<end_port>/tcp --permanent && sudo firewall-cmd --reload - For
iptables:sudo iptables -A INPUT -p tcp --dport <start_port>:<end_port> -j ACCEPT
Replace <start_port> and <end_port> with the actual port range you want to open.
7. Is it safe to open ports on my Linux system?
Opening ports on your Linux system can be safe if done correctly and with caution. However, it also increases the attack surface of your system, making it more vulnerable to security threats. Here are some best practices to follow:
- Only open the ports that are necessary for your applications or services.
- Use strong passwords and authentication mechanisms for services listening on open ports.
- Regularly update your system and firewall software to ensure you have the latest security patches.
- Monitor your system logs for suspicious activity on open ports.
- Consider using a firewall with a default-deny policy to block all incoming traffic except for the ports you explicitly open.
Conclusion
In this tutorial, you learned how to open a new port on Linux and set it up for incoming connections. You also used netstat, ss, telnet, nc, and nmap to check if a port is open, open a range of ports, and test the newly opened port for TCP connections. Additionally, you explored how to persistently open ports using different firewall tools such as ufw, firewalld, and iptables.
To further expand your knowledge on network connections and security, follow these tutorials:
These tutorials will help you master network connections, port scanning, and firewall setup on Linux systems.
