Introduction
A port is a communication endpoint. In an operating system, a port is opened or closed to data packets for specific processes or network services.
Typically, ports identify a specific network service that is assigned to them. This can be changed by manually configuring the service to use a different port, but in general, the defaults can be used.
The first 1024 ports (port numbers 0 to 1023) are called well-known port numbers and are reserved for the most common services. These include SSH (port 22), HTTP (port 80), HTTPS (port 443).
Port numbers above 1024 are called ephemeral ports.
- Ports 1024 to 49151 are called registered/user ports.
- Ports 49152 to 65535 are called dynamic/private ports.
In this tutorial, you will open an ephemeral port in Linux, as most common services use well-known ports.
Prerequisites
- Familiarity with using the terminal
List of all open ports
Before opening a port in Linux, you should check the list of all open ports and select an ephemeral port to open that is not on that list.
Use the netstat command to list all open ports, including TCP and UDP, which are the most common protocols for packet transfer at the network layer.
netstat -lntuThis will print:
- All listening sockets (-l)
- Port number (-n)
- TCP ports (-t)
- UDP ports (-u)
Output
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 ::1:5432 :::* LISTEN
tcp6 0 0 ::1:6379 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.53:53 0.0.0.0:* LISTENVerify that you get consistent output using the ss command to list listening sockets with open ports:
ss -lntuThis will print:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:5432 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:27017 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:6379 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::1]:5432 0.0.0.0:*
tcp LISTEN 0 128 [::1]:6379 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 0.0.0.0:*This gives more or less the same open ports as netstat.
Open a port in Linux to allow TCP connections
Now, open a closed port and make it listen for TCP connections.
For the purposes of this tutorial, you will open port 4000. However, if that port is not open on your system, feel free to choose another closed port. Just make sure it is greater than 1023.
Make sure port 4000 is not in use using the netstat command:
netstat -na | grep :4000Or the ss command:
ss -na | grep :4000The output should be left blank, so check that it is not currently in use, so you can manually add port rules to the iptables system firewall.
For Ubuntu users and ufw-based systems
Use ufw – a command line client for a hassle-free firewall.
Your commands are similar to:
sudo ufw allow 4000For CentOS and firewall-based systems
Use firewall-cmd – command line client for the firewalld daemon.
Your commands are similar to:
firewall-cmd --add-port=4000/tcpFor other Linux distributions
Use iptables to modify the system's IPv4 packet filtering rules.
iptables -A INPUT -p tcp --dport 4000 -j ACCEPTTest the newly opened port for TCP connections
Now that you have successfully opened a new TCP port, it's time to test it.
First, start netcat (nc) and listen (-l) on port (-p) 4000, while sending the output of ls to each connected client:
ls | nc -l -p 4000Now, after a client opens a TCP connection on port 4000, it will receive the output of ls. Leave this session for now.
Open another terminal session on the same device.
Since you opened a TCP port, use telnet to check the TCP connection. If the command is not there, install it using your package manager.
Enter your server IP and port number (4000 in this example) and run this command:
telnet localhost 4000This command attempts to open a TCP connection on localhost on port 4000.
You will receive output similar to this, indicating that a connection has been established with the listening program (nc):
Output
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
while.shThe output of ls (in this example while.sh) is also sent to the client, indicating a successful TCP connection.
Use nmap to check if the port is open (-p):
nmap localhost -p 4000This command checks for open ports:
Output
Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-18 21:51 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
4000/tcp open remoteanything
Nmap done: 1 IP address (1 host up) scanned in 0.25 secondsThe port has been opened. You have successfully opened a new port on your Linux system.
But this is only temporary, as the changes are reset every time you restart the system.
Sustainable rules
The approach presented in this article only temporarily updates the firewall rules until the system is shut down or restarted. So the same steps must be repeated to reopen the same port after the restart.
For ufw firewall
ufw rules are not reset on reboot. This is because it is integrated into the boot process and the kernel stores firewall rules using ufw by applying the appropriate configuration files.
For firewall
If you want to add the port to the permanent firewall configuration and apply the changes immediately, you can use the --permanent and --reload flags:
sudo firewall-cmd --permanent --add-port=4000/tcp
sudo firewall-cmd --reloadFor iptables
You need to save the configuration rules and use the iptables-persistent command.
Result
In this tutorial, you learned how to open a new port in Linux and configure it for incoming connections. You also used netstat, ss, telnet, nc, and nmap.
