How to Check, Open, and Close a Port on Ubuntu

examples of checking, opening, closing ports on Ubuntu

In this tutorial we’ll learn how to check for listening ports, using numerous tools, along with managing ports by allowing or disallowing incoming and outgoing connections.

Ports in Ubuntu

What is a port? In simple words: a door to a program running in your operating system. Or: application-specific or process-specific software construct used as a numeric identifier of a particular connection between two applications.

Port numbers is a 16-bit unsigned integer that range from 0 to 65535. Applications listen for ports to achieve a successful communication from the outside.

When dealing with a well-known distribution as Ubuntu, there are multiple tricks and features that check for, close or open ports.

So as an alert Linux user, it’s imperative to be aware of probe for open ports in your system, which ones are open by default, closing open ports and allowing exceptions. If not, securities holes and system’s vulnerabilities would be the least of your problems, not to mention bandwidth and resource consuming connections.

Check common ports:

Port Name Port Number/Protocol Alias
ftp 21/tcp //
-ssh 22/tcp //
-smtp 25/tcp mail
domain 53/tcp nameserver
domain 53/udp nameserver
http 80/tcp www www-http
-https 443/tcp //
pop3 110/tcp pop-3

How to Inspect Listening Ports

Obviously, before even starting to open or close ports, it’s necessary to be familiar with which ports are open in your system. To do that, we can use various built-in command line utilities or installed.

Fire up your machine, open the terminal, then type the next command to list running services and which ports are used.

less /etc/services
Output
ftp 21/tcp
fsp 21/udp fspd
ssh 22/tcp # SSH Remote Login Protocol
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
whois 43/tcp nicname

When you want to quit less, hit the q key.

Suppose we want to check for specific ports (80, 443 and 22). Easily use the grep tool like so:

grep -we 80 -we 22 -we 443 /etc/services
Output
ssh 22/tcp # SSH Remote Login Protocol
http 80/tcp www # WorldWideWeb HTTP
https 443/tcp # http protocol over TLS/SSL
https 443/udp # HTTP/3

The next command is using netstat, which is a well known utility that can be used to inspect listening ports and socket information. There are multiple variations of using this tool, but we will be ok by the next (tcp/udp):

netstat -intu

We can also be using the ss tool, which is very similar to netstat.

ss -intu

lsof is a command line utility for listing open files, but can be used to check what process and tool is listening on a specific port; or by using the protocol.

lsof -i :80
lsof -i udp

Now to one of the major tools in the port scanning field: Nmap. We can also use this tool in a variety of ways, but we will see only the following example:

Output
nmap localhost

Note that the utilities above will only display the port if a service or a process is actually listening for incoming connections, (if port is in use). But keep in mind, this does not mean that the listening service is open to the internet, since our firewall could be blocking incoming connections for certain ports.

How to Open Ports

Generally to open or close ports on Ubuntu we use ufw command (Uncomplicated Firewall); which is a frontend for iptables. Before starting to manage our ports, we have to check the ufw statues by running the next command:

sudo ufw status verbose
Output
Status: inactive

Enable your firewall as so:

sudo ufw enable
Output
Firewall is active and enabled on system startup

Run the first command:

sudo ufw status verbose
Output
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

As you can see, our firewall is denying incoming connections. So if we want to add an exception (22 tcp), we should run the below mentioned command.

sudo ufw allow 22/tcp
Output
Rule added
Rule added (v6)

Check if our firewall is indeed making an exception for port 22:

sudo ufw status verbose
Output
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)

In the even we want to allow a specific IP address to connect to port 22:

sudo ufw allow from 40.200.14.5 to any port 22
Output
Rule added

We could use the same previous command for a subnet of IP addresses:

sudo ufw allow from 40.200.14.0/24 to any port 22
Output
Rule added

We checked managing incoming connections; for allowing outgoing connections we use the out option:

sudo ufw allow out 22/tcp
Output
Rule added
Rule added (v6)

Let’s check the iptables examples for opening ports. First let’s make an exception for incoming connections to port 80:

sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT

This second command for making an exception for outgoing connections to port 80:

sudo iptables -I OUTPUT -p tcp --sport 80 -j ACCEPT

How to Close Ports

Like opening ports, there are numerous commands for closing ports. Upon discovery of an open port that should be closed. The easiest way as before is using ufw.

Let’s start by blocking port 22:

sudo ufw deny 22
Output
Rule added
Rule added (v6)

We could use the reject keyword instead:

sudo ufw reject 22

Note that reject and deny options achieve similar results, the key difference though, is that reject informs back the sender that their connection was rejected via error packet.

As before, in case we want to block outgoing call, we use the following command:

sudo ufw deny out 22
Output
Rule added
Rule added (v6)

Let’s try iptables to block incoming connections:

sudo iptables -A INPUT -p tcp --dport 80 -j DROP

Just like ufw, DROP keyword is used to block connections without sending back an error packet.

sudo iptables -A INPUT -p tcp --dport 80 -j REJECT

The REJECT option, for informing the sender that their request has been rejected.

When trying to block users from using a specific port (outgoing), we use the following:

sudo iptables -A OUTPUT -p tcp --sport 80 -j DROP

Bonus: In case that you missed around with your firewall (adding and dropping a whole lot of exceptions). Do not worry; just run the command mentioned below to start over.

sudo ufw reset
Output
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up 'user.rules' to '/etc/ufw/user.rules.20220503_211753'
Backing up 'before.rules' to '/etc/ufw/before.rules.20220503_211753'
Backing up 'after.rules' to '/etc/ufw/after.rules.20220503_211753'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20220503_211753'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20220503_211753'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20220503_211753'

Conclusion

In this how to article we learned about checking which ports are used by our services and programs, we did that by testing different utilities and command lines. We also learned about managing ports with ufw and iptables; we’ve managed that by being acquainted with executing allow exceptions, deny/reject exceptions and how to run them for different scenarios.

0 Shares:
Subscribe
Notify of
guest
Receive notifications when your comment receives a reply. (Optional)
Your username will link to your website. (Optional)
0 Comments
Inline Feedbacks
View all comments
You May Also Like
Usermod Command in Linux
Read More

Usermod Command in Linux

The usermod command allows us to modify an existing user account. With the usermod command, we can make…
gnome logo with theme icon
Read More

How to Install GNOME Themes

Knowing how to install GNOME themes empowers you to customize the appearance of your Linux graphical user interface.…