Open linux firewall ports are open

How to List Open Ports in Firewalld

Firewalld is the default firewall program on CentOS 7, Red Hat Enterprise Linux 7 (RHEL 7), Fedora 18+ and some other popular Linux distributions. It is very powerful for managing IPv4 and IPv6 networks. It has easy to use command line interface (CLI) and a great alternative to iptables.

In this article, I am going to show you how to list open ports in Firewalld. I am going to use CentOS 7.4 for the demonstration, but the same commands should work on any Linux distribution with Firewalld installed. Let’s get started.

What is an Open Port?

First let’s discuss what an open port is. It is clearly a networking term.

You can install many server software packagess on a single computer such as HTTP server, DNS server, Database Server and so on. But it may have a limited number of network interfaces on it. Let’s say it has one physical network interface available and its configured to have an IP address 10.0.1.11 and you have HTTP and MySQL database server installed on it. So when you connect to 10.0.1.11 from another computer, how does your server computer know what service you want to use? The HTTP service or the MySQL database service.

Well to differentiate between the HTTP service and MySQL database service, the IP address also has another property called port. Port is a 16-bit integer, which means it can be a number from 0 to 65536. So your server computer runs different services or server softwares on different ports. For example, the HTTP server runs on port 80, the MySQL database server runs on port 3306 and so on.

To talk to specific service on your server computer, let’s say the HTTP server, the client computer has to pass the port 80 along with the IP address 10.0.1.11. So port 80 is an open port because a client computer can talk to it.

When you have firewall program configured, by default, it blocks all the port. So even when the service is running on a specific port on your server computer, a client computer won’t be able to connect to it.

So how do I know what ports are open and I can connect to on my server computer? Well, that’s the topic of this article.

Finding Open Ports with Firewalld:

First check whether firewalld service is running with the following command:

As you can see from the marked section of the screenshot below, the firewalld service is running. So we are good to go.

If your firewalld service is not running, you can start firewalld service with the following command:

Now you can use the firewall-cmd command configure and get information about Firewalld.

You can print the whole Firewalld configuration with the following command:

The open ports and services are listed in the services: and ports: line as marked in the screenshot below.

In the services: line, ssh and dhcpv6-client services are enabled. It means the ports corresponding to these services are also open.

You can find out what ports these services open with the following command:

NOTE: Here, SERVICE_NAME is the service you want to see the ports of.

For example, to see the ports the ssh service opened, run the following command:

As you can see from the marked section of the screenshot below, the ssh service opens the TCP port 22 and UDP port 22.

The command sudo firewall-cmd –list-all, shows you the whole Firewalld configuration.

If you just want to see what services are allowed to have open ports, run the following command:

The services allowed to have open ports are listed as you can see from the screenshot below.

If you want to see only the ports that are open, run the following command:

The open ports are listed as you can see from the screenshot below.

If you want to open other ports or services using Firewalld, then check out my other article How To Open Port 80 on CentOS7(https://linuxhint.com/open-port-80-centos7/)

That’s how you list open ports in Firewalld. Thanks for reading this article.

About the author

Shahriar Shovon

Freelancer & Linux System Administrator. Also loves Web API development with Node.js and JavaScript. I was born in Bangladesh. I am currently studying Electronics and Communication Engineering at Khulna University of Engineering & Technology (KUET), one of the demanding public engineering universities of Bangladesh.

Источник

How to Open a Port in Linux

The port number is a virtual concept in computer networking that provides a network identifier for a service or application. The number is a 16-bit integer from 0 to 65535 that combines with the IP address to create a network communication socket.

This article shows how to open a port in Linux and use Linux networking tools to list and test open ports.

Listing Open Ports

Before opening a port on a system, check if the port you need is already open. The simplest way to do this is to pipe the output of the netstat command to the grep command.

netstat -na | grep :[port-number]

The syntax above tells grep to look for a specific port number in the port list provided by netstat . For example, to check if port 8080 is available on the system, type:

If the port is closed, the command returns no output.

Alternatively, use the following netstat command to display a list of listening ports:

The -l option looks for the listening ports, -n provides numerical port values, while -t and -u stand for TCP and UDP, respectively.

Note: For more details on netstat syntax, read Netstat Command in Linux — 28 Commands with Examples.

Opening a Port in Linux

The correct procedure for opening a port depends on the Linux distribution and the firewall you are using. The following sections provide steps for the three most common scenarios:

• The UFW firewall on Ubuntu-based distributions.
• firewalld on CentOS and other RHEL-based distributions.
• The iptables utility for the systems without UFW and Firewalld.

Note: Learn how to use GUFW, a GUI for UFW.

Ubuntu and UFW Based Systems

UFW (Uncomplicated Firewall) for Ubuntu allows you to open a port with a single command:

sudo ufw allow [port-number]

The output confirms when you add IPv4 and IPv6 rules.

Alternatively, open the port used by a specific service without stating the port number:

sudo ufw allow [service-name]

Note: After you finish creating the rules, ensure UFW is active on your system by typing:

CentOS and Other Systems with firewalld

The firewalld tool on CentOS, Fedora, and other related distributions, enables users to control port access on their system. The following command opens a specific port:

sudo firewall-cmd --zone=public --add-port=[port-number]/[protocol] --permanent

The —permanent option ensures that the rules persist after the system reboot.

Note: The —zone=public argument is necessary only in multi-zone system configurations. By default, firewalld assigns all interfaces to the public zone.

Linux Distributions without UFW or firewalld

While installing a full-fledged firewall is the recommended way of maintaining system security, some Linux distributions still use the legacy iptables solution. The iptables utility allows configuring rules to filter IP packets using the Linux kernel firewall.

Use the following command to create an iptables rule for opening a port:

sudo iptables -A INPUT -p [protocol] --dport [port] -j ACCEPT

The command creates an IPv4 rule. To create an IPv6 rule, use the ip6tables command:

sudo ip6tables -A INPUT -p [protocol] --dport [port] -j ACCEPT

The port number is specified with the —dport option. The -p flag allows you to define the protocol ( tcp or udp ). For example, to create an IPv4 rule for the TCP port 8080 , type:

sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

Make iptables Rules Persist on Debian-Based Systems

The rules created using iptables do not persist after reboots.

Follow the steps to restore iptables rules after a reboot on Debian-based systems:

1. Save the IPv4 rules you created:

iptables-save > /etc/iptables/rules.v4

2. Store any IPv6 rules in a separate file:

ip6tables-save > /etc/iptables/rules.v6

3. Install the iptables-persistent package:

sudo apt install iptables-persistent

This package automatically reloads the contents of the rules.v4 and rules.v6 files when the system restarts.

Make iptables Rules Persist on RHEL-Based Systems

RHEL-based systems store the iptables configuration in a different location.

1. Type the commands below to save the IPv4 and IPv6 rules, respectively:

iptables-save > /etc/sysconfig/iptables

ip6tables-save > /etc/sysconfig/ip6tables

2. Ensure the iptables-services package is installed:

sudo dnf install iptables-services

sudo systemctl start iptables

sudo systemctl enable iptables

sudo service iptables save

6. Restart the service to enforce the rule:

sudo systemctl restart iptables

Testing Open Ports

After using any of the methods above to open a port in Linux, ensure that the process is successful. The following methods are simple ways to check the open ports on a system.

View the listening ports with the netstat command:

The output above shows the port 8080 we opened previously.

List the open sockets with the ss command:

The port appears as part of the socket.

Note: To understand the function of sockets in Linux, refer to How Linux Uses Sockets.

Test the port by specifying its number to the nmap command.

Test the Port with the Netcat Utility

The Netcat tool features the nc command that you can use to test an open port. To do so:

1. Use a command such as echo to pipe output to Netcat and specify the port to listen to. The example below pipes a message to test port 8080 :

echo "Testing port 8080" | nc -l -p 8080

2. Leave the command running and open another terminal window.

3. In that terminal window, use a command such as telnet to query the local socket.

If the port is open, the output of the telnet command contains the message piped to nc in step 1.

Note: Learn how to check for open ports in Linux.

This article provided instructions on opening and testing a port in Linux. Opening a port can be helpful for various reasons, such as allowing incoming traffic to access a specific service or application on your system.

Источник