How to Check/List all Open ports in Linux

Table of Contents

System administrators one of the responsibility is make the system secure. One of the key areas for achieving the same is to detect the unwanted open ports and closing these ports. Closing the ports is comparatively an easy task. But finding the open ports in a Linux machine will some what feels like, finding a needle in haystack. In this article, we will see step by step approach to check what all ports are opened. In this article, the open ports means, all ports which are open and not just the ports which is listened by services.

Check Open ports by checking Firewall rules

In linux machine, the ports can be opened and closed at firewall level. In Linux 7.x we are making use of iptables for controlling the firewall and in Linux 8.x we are using firewalld for the same. If you are following iptables, proceed to read iptables section, if not firewalld. This is just a visual examination of the ports as a first level of identification.

Iptables rules check

In the iptables, there are by default 3 chains, INPUT, OUTPUT, FORWARD. In this article we will be focusing on INPUT, as we are mainly focusing on controlling the input connection to the system.
In the below code snippet, it can be seen that policy ACCEPT is seen when we are listing the iptables rules using iptables -L -nv
Policy ACCEPT means there is no restriction to the firewall, all the ports are enabled

~]# iptables -L -nv
Chain INPUT (policy ACCEPT 38 packets, 7268 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 34 packets, 7272 bytes)
pkts bytes target prot opt in out source destination 
~]#

In the below snippet, we can see that policy is DROP. But in the rules, we are mentioning so ports with ACCEPT policy
All other ports except the one with ACCEPT policy in the rule will be closed.

 ~]# iptables -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2022
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:28809
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9001

Firewalld Rules check

In Linux 8.x s, we are using firewalld for controlling the firewall. In firewalld, we are having zones. where rules in each zone determines, whether the packet need to be accepted or rejected.

Below code snippet shows, firwalld active zones, and listing the tables in each zones

[root@linuxdatahub ~]# firewall-cmd --get-active-zones
public
interfaces: enp0s3
[root@linuxdatahub ~]# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports: 5678
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Note: "default" is almost, but not quite the same as "reject/drop". More details can be found here

It can be seen that the target is given as default, here in firewalld, when it comes to ports default means dropped
If the target was accept then, all the ports would have been opened in the firewall
In the ports section, port 5678 is mentioned, this means port 5678 is open, and packets can be flown through the port
In the ports section, port 22 is not mentioned, but still I'm able to connect to port 22 for my ssh. This is because ssh is mentioned as a service in the services section
In conclusion, the ports mentioned in the port section and ports associated with the services given in the services section, will be opened

Note: The predefined list of services can be seen using command: firewall-cmd --get-services
ports associated with the service can be seen using command: firewall-cmd --info-service <servicename>

Check Open ports using Security tools (Nmap and hping)

We will be using Nmap and hping3 to identify the open ports in a machine. The machine (linux-data) which I'm considered to scan is having below active zone

[root@linux-data ~]# firewall-cmd --list-all --zone=public
public (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0 eth1 eth2
sources: 
services: dhcpv6-client ssh
ports: 25/tcp
protocols: 
masquerade: no
forward-ports: 
source-ports: 
icmp-blocks: 
rich rules:

Note: For the scope of this article, im playing around with ports which are under range 100, but the same can be applied to any port ranges

From the snippet it can be seen that port 25 is open and ssh port is also enabled
Target policy is drop, which disables all ports other than the specified in the table

Check Open ports using Nmap

Nmap is an open source tool used for security auditing and network analysis. We will using the tool for scanning open ports in a remote machine. Below snippet shows the current firewall of the machine (linux-data)

Below nmap scan report of the test machine ( with port range) , shows the output which is reflecting the firewall rule which is set in our machine

[root@test-re ~]# nmap linux-data -p 20-30
Starting Nmap 6.40 ( http://nmap.org ) at 2022-07-23 17:28 IST
Nmap scan report for linux-data (10.55.7.41)
Host is up (0.00099s latency).
PORT STATE SERVICE
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp open ssh
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp closed smtp
26/tcp filtered rsftp
27/tcp filtered nsw-fe
28/tcp filtered unknown
29/tcp filtered msg-icp
30/tcp filtered unknown
MAC Address: FA:16:3E:97:87:2D (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds

The status is open for 22 , which means that the port is accessible and a service is listening to it
The status is closed for port 25, which means that the port is accessible, but no service is listening to it
The status for all the other ports is filtered , which means that there is some firewall present over the ports. Hence it is not accessible

Understanding Nmap status

Open: The port is enabled and is open , a service is listening to that port
Closed: The port is enabled, but no services are listening to that port. Closed ports also means the port is accessible
filtered: The port is having some firewall which present the probes to reaching the port. This shows the port is not accessible and is not enabled
unfiltered: The port is accessible, but Nmap is not able to determine, whether it is closed or open
open|filtered: Nmap scan was unable to determine, whether the port is open or filtered. This can happen when the port is not responding to the nmap test packets
closed|filtered: Nmap scan was unable to determine whether the port is closed or filtered

Check Open ports using hping3

hping is an open-source packet generator and analyzer for the TCP/IP protocol created by Salvatore Sanfilippo. It is one of the common tools used for security auditing and testing of firewalls and networks

Below output shows the hping scan report, which clearly shows the open ports in the machine

[root@test-re ~]# hping3 -8 20-30 -S 10.55.7.41 -V
using eth0, addr: 10.55.7.53, MTU: 1500
Scanning 10.55.7.41 (10.55.7.41), port 20-30
11 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
25 smtp : ..R.A... 64 31802 0 40
22 ssh : .S..A... 64 0 29200 44
All replies received. Done.
Not responding ports: (20 ftp-data) (21 ftp) (23 telnet) (24 lmtp) (26 ) (27 nsw-fe) (28 ) (29 msg-icp) (30 )

Check Open ports by checking Firewall rules

Iptables rules check

Firewalld Rules check

Check Open ports using Security tools (Nmap and hping)

Check Open ports using Nmap

Understanding Nmap status

Check Open ports using hping3

Leave a Comment Cancel reply