A TCP/IP network connection may be either blocked, dropped, open, or filtered. These actions are generally controlled by the IPtables firewall the system uses and is independent of any process or program that may be listening on a network port. Beyond the firewall, a program or process (a server or daemon) may be listening on a port or not listening. This can be checked using the netstat or ss programs. Checking to see if a port is open, blocked, dropped, or filtered at the firewall is not simple. There are two ways to do this:
- test the port externally
- list the firewall configuration and examine the output
1. Using netstat to see the listening processes
To see if a program or process is listening on a port, ready to accept a packet, use the netstat command.
# netstat -tulnp
The arguments to the netstat command are listed below:
u – Show UDP
l – Show only listening processes (netstat can show both listening and all established connections, i.e. as a client too)
n – Do not resolve network IP address names or port numbers
p – Show the process name that is listening on the port
For example :
# netstat -tulnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1254/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1484/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1355/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1562/master tcp 0 0 0.0.0.0:44349 0.0.0.0:* LISTEN 1274/rpc.statd udp 0 0 0.0.0.0:111 0.0.0.0:* 1254/rpcbind udp 0 0 0.0.0.0:631 0.0.0.0:* 1355/cupsd udp 0 0 0.0.0.0:44165 0.0.0.0:* 1274/rpc.statd udp 0 0 0.0.0.0:602 0.0.0.0:* 1274/rpc.statd udp 0 0 0.0.0.0:1001 0.0.0.0:* 1254/rpcbind
2. Using ss to see the listening processes
To see if a program or process is listening on a port, ready to accept a packet, use the ss program.
# ss -nutlp
The arguments to the ss program are listed below:
u – Display UDP sockets.
l – Display listening sockets
n – Do now try to resolve names
p – Show process using socket
For Example :
# ss -nutlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:111 *:* users:(("rpcbind",1254,6))
udp UNCONN 0 0 *:631 *:* users:(("cupsd",1355,9))
udp UNCONN 0 0 *:44165 *:* users:(("rpc.statd",1274,8))
udp UNCONN 0 0 *:602 *:* users:(("rpc.statd",1274,5))
udp UNCONN 0 0 *:1001 *:* users:(("rpcbind",1254,7))
tcp LISTEN 0 128 *:111 *:* users:(("rpcbind",1254,8))
tcp LISTEN 0 128 *:22 *:* users:(("sshd",1484,3))
tcp LISTEN 0 128 127.0.0.1:631 *:* users:(("cupsd",1355,7))
tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",1562,12))
tcp LISTEN 0 128 *:44349 *:* users:(("rpc.statd",1274,9)) 3. using lsof to find open ports
To list all the open ports on a system, use the following command to list the process name and number that has opened the ports.
# lsof -i
Here is an example output:
# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1254 rpc 6u IPv4 12592 0t0 UDP *:sunrpc rpcbind 1254 rpc 7u IPv4 12596 0t0 UDP *:1001 rpcbind 1254 rpc 8u IPv4 12597 0t0 TCP *:sunrpc (LISTEN) rpc.statd 1274 rpcuser 5r IPv4 12784 0t0 UDP *:xmlrpc-beep rpc.statd 1274 rpcuser 8u IPv4 12788 0t0 UDP *:44165 rpc.statd 1274 rpcuser 9u IPv4 12792 0t0 TCP *:44349 (LISTEN) cupsd 1355 root 7u IPv4 13147 0t0 TCP localhost:ipp (LISTEN) cupsd 1355 root 9u IPv4 13150 0t0 UDP *:ipp sshd 1484 root 3u IPv4 13707 0t0 TCP *:ssh (LISTEN) master 1562 root 12u IPv4 13923 0t0 TCP localhost:smtp (LISTEN) sshd 1657 root 3r IPv4 14745 0t0 TCP 192.168.1.50:ssh->192.168.1.101:49549 (ESTABLISHED)
Testing a port externally
The telnet application can be used for testing simple network socket connectivity, but only for TCP connections, not UDP. For example, if I wish to see if TCP port 80 on a system is ready to accept a connection, I specify the IP address and the port for telnet:
# telnet 192.168.1.55 80 Trying 192.168.1.55... Connected to example.redhat.com (192.168.1.55). Escape character is '^]'.
If the server is not listening the response is different:
# telnet 10.0.0.25 80 Trying 10.0.0.25... telnet: connect to address 10.0.0.25: Connection refused telnet: Unable to connect to remote host: Connection refused
- This indicates that the connection was actively refused. The TCP subsystem received the packet, examined it, and found it was a request to open a socket at port 80, saw that there was no process ready to accept the connection and responded with a refusal.
- If the firewall was configured to block or filter the connection, telnet would display something very similar to the above, even if there was a process ready to accept the connect.
- If the firewall was configured to drop the connections, we would see no response at all and telnet would time out instead:
# telnet 10.0.0.25 80 Trying 10.0.0.25... telnet: connect to address 10.0.0.25: Connection timed out
Listing the firewall rules
In Red Hat Enterprise Linux, firewall rules may be listed by using the service command:
# service iptables status
Or by using the iptables command:
# iptables -xvn -L