Table of Contents
Lately I was going through some articles from different search engine to check open ports in Linux. I was quiet surprised with the results as most of these articles in the search results talks about using ss, netstat etc to check if a port is open in Linux.
You have to understand the difference and your requirement.
Do you want to check if a port is open on the destination server or between source and destination server?
Do you want to check if a port is in LISTENING state on the destination server.
As it doesn’t necessarily mean that if a port is not listening then it is not open. A port will be in LISTEN state only when it is in use by some process or else a port can be open and free but since it is not in USE it will not be listed with netstat, lsof, ss commands etc.
So I hope you are clear with your requirement.
In this article I will share the different ways to check open ports or if a port is open on the destination server in Linux.
Method-1: Check open ports using nmap
nmap is an open source tool for network exploration and security auditing. Let’s verify if nmap can successfully give us list of open ports on a Linux server:
Currently I have not added any firewall rules on my destination server:
[root@server-2 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Now let us check open ports between
35520-35522 on this server using some different client machine with nmap:
We have used
-PN to perform TCP SYN/ACK check on the provided list of ports but the output claims that all of these ports are closed. But this is not correct as there is no firewall on
server-2 and this setup in in my local LAN so no other firewalls in between these servers.
Now here are the list of listening ports on
So if we try to scan these listening ports using nmap:
All of these ports are marked as OPEN. So unless your ports are in use by some process, they will not be marked as OPEN.
Let’s perform some more tests. I will DROP all the incoming requests and only allow certain ports on
server-2 using iptables:
[root@server-2 ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT [root@server-2 ~]# iptables -P INPUT DROP [root@server-2 ~]# iptables -A INPUT -p tcp --dport 35520 -j ACCEPT
List the applied rules
[root@server-2 ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:35520 ...
So I have explicitly allowed port
35520, now let’s perform nmap scan for this port and some others:
35520 is marked as CLOSED as it is explicitly allowed in iptables but currently is not in use while others are marked as FILTERED as they are blocked in firewall.
Understanding different states in nmap
Though the current version of NMAP is capable of performing many tasks, it initially started out as a port scanner. NMAP has certain ways to detect whether the port on the target system is open or closed. NMAP detects the status of the target port using predefined states as follows:
- Open: The Open state indicates that an application on the target system is actively listening for connections/packets on that port.
- Closed: The Closed state indicates there isn’t any application listening on that port. However, the port state could change to Open in the future.
- Filtered: The Filtered state indicates that either a firewall, a filter, or some kind of network hurdle is blocking the port and hence NMAP isn’t able to determine whether it is open or closed.
- Unfiltered: The Unfiltered state indicates that ports are responding to NMAP probes; however, it isn’t possible to determine whether they are open or closed.
- Open/Filtered: The Open/Filtered state indicates that the port is either filtered or open; however, NMAP isn’t precisely able to determine the state.
- Closed/Filtered: The Closed/Filtered state indicates that the port is either filtered or closed; however, NMAP isn’t precisely able to determine the state.
Method-2: Check list of open ports in Linux using hping3
We will retain the iptables rule which we applied in the previous example where we had blocked all the ports except
35520 and perform network scan using hping3:
So based on the above hint, hping3 got a RESET request with ACK on port
35520 which means the port may be in OPEN state while the other ports in the provided range are not responding so they are closed.
If any of the port is in LISTENING state then hping3 will return SYN and ACK flag as shown below:
[root@server-1 ~]# hping3 --scan 22 -S server-2 -V using eth1, addr: 192.168.0.153, MTU: 1500 Scanning server-2 (192.168.0.114), port 22 1 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 22 ssh : .S..A... 64 0 29200 46 All replies received. Done. Not responding ports:
Method-3: Test firewall rules
Now you may using the tools which I explained above to check open ports but if you wish to test firewall rules then I would recommend using
nc can be used to open any port and mark it as listening and then on the client server you can again use nc to send some dummy data to test firewall rule.
Let us retain the above applied iptables rule, so on our server port 35520 is allowed in the firewall. To test this firewall rule, we will enable port 35520 using nc:
[root@server-2 ~]# nc -l 35520 -v Listening on 0.0.0.0 3552
So our server is now listening on port 35520, now let’s try to connect to this port using any other client node:
[root@server-1 ~]# nc server-2 35520 -v Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connected to 192.168.0.114:35520.
As you can see, nc was able to connect to
server-2 using port 35520. Now if you try to send any string from client to server:
[root@server-1 ~]# nc server-2 35520 -v Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connected to 192.168.0.114:35520. test123
Monitor the console on server-1 and you will receive this string:
[root@server-2 ~]# nc -l 35520 -v Listening on 0.0.0.0 35520 Connection received on 192.168.0.153 46248 test123
Similarly let’s try to test firewall rule for any other port which is blocked (we have blocked all the ports except 35520 and 22):
[root@server-2 ~]# nc -l 35521 -v Listening on 0.0.0.0 35521
Since port 35521 port is blocked in the firewall, the same will not be accessible from
[root@server-1 ~]# nc server-2 35521 -v Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connection timed out.
In this article I shared different methods to perform network scanning to check open ports and test firewall rules in Linux. There are many other tools available which can be used for this purpose. But again I don’t rely on telnet, ss or netstat commands for this purpose as they may not give you accurate data based on your requirement. nmap, hping3 are very vast tools with alot of different options and features which are not covered in this article. I would suggest to go through their man page and explore different options.