linux打开端口Before we learn about opening a port on Linux, let’s understand what network ports are. A port is a communication endpoint. Within an operating system, a port allows the data packets ...
linux打开端口
Before we learn about opening a port on Linux, let’s understand what network ports are. A port is a communication endpoint. Within an operating system, a port allows the data packets specific processes or network services.
Typically, ports identify a specific network service assigned to them. This can be changed by manually configuring the service to use a different port, but in general, the defaults can be used.
The first 1024 ports (Ports 0-1023) are referred to as well-known port numbers and are reserved for the most commonly used services include SSH (port 22), HTTP and HTTPS (port 80 and 443), etc. Port numbers above 1024 are referred to as ephemeral ports.
Among ephemeral ports, Port numbers 1024-49151 are called the Registered/User Ports. The rest of the ports, 49152-65535 are called as Dynamic/Private Ports.
We can use the netstat command to list all open ports, including those of TCP, UDP, which are the most common protocols for packet transmission in the network layer.
Just to ensure that we are getting consistent outputs, let’s verify this using the ss command to list listening sockets with an open port.
为了确保我们获得一致的输出,让我们使用ss命令来验证这一点,以列出具有开放端口的侦听套接字。
ss -lntu
List Listening Sockets
列出侦听套接字
This gives more or less the same open ports as netstat, so we are good to go!
这提供了几乎与netstat相同的开放端口,所以我们很高兴!
在Linux上打开端口以允许TCP连接 (Opening a port on Linux to Allow TCP Connections)
Let’s open a closed port and make it listen to TCP Connections, for the sake of this example.
就本例而言,我们打开一个封闭的端口并使其侦听TCP连接。
Since port 4000 is not being used in my system, I choose to open port 4000. If that port is not open in your system, feel free to choose another closed port. Just make sure that it’s greater than 1023!
Again, just to make sure, let’s ensure that port 4000 is not used, using the netstat or the ss command.
再次,只是要确保,请使用netstat或ss命令确保未使用端口4000。
netstat -na | grep :4000
ss -na | grep :4000
The output must remain blank, thus verifying that it is not currently used, so that we can add the port rules manually to the system iptables firewall.
对于Ubuntu用户和基于ufw防火墙的系统 (For Ubuntu Users and ufw firewall based Systems)
Ubuntu has a firewall called ufw, which takes care of these rules for ports and connections, instead of the old iptables firewall. If you are a Ubuntu user, you can directly open the port using ufw
You can skip the next few steps, and directly test your newly opened port!
您可以跳过接下来的几个步骤,直接测试您新打开的端口!
对于CentOS和基于Firewalld的系统 (For CentOS and firewalld based Systems)
For these types of systems, if you have firewalld as your primary firewall, it is recommended that you use the firewall-cmd to update your firewall rules, instead of the old iptables firewall.
NOTE: This will reset the firewalld rules to default on a reboot, so if you want to modify this setting permanently, add the --permanent flag to the command.
You can skip the next few steps, and directly test your newly opened port!
您可以跳过接下来的几个步骤,直接测试您新打开的端口!
对于其他Linux发行版 (For Other Linux Distributions)
So let’s add this new port to our system iptables rules, using the iptables command.
因此,让我们使用iptables命令将此新端口添加到系统iptables规则中。
If this command is not yet installed, get it using your package manager.
如果尚未安装此命令,请使用软件包管理器获取它。
iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
This sets the firewall to append (-A) the new rule to accept input packets via protocol (-p) TCP where the destination port (--dport) is 4000, and specifies the target jump (-j) rule as ACCEPT.
To update the firewall rules, restart the iptables service.
要更新防火墙规则,请重新启动iptables服务。
sudo service iptables restart
OR using systemctl if you have it.
或使用systemctl如果有)。
sudo systemctl restart iptables
测试新打开的端口的TCP连接 (Test the newly opened port for TCP Connections)
Now that we have successfully opened a new TCP port (Port 4000 in my case), let’s test it out.
现在我们已经成功打开了一个新的TCP端口(在我的情况下为Port 4000),让我们对其进行测试。
First, we will start netcat (nc) and listen on port 4000, while sending the output of ls to any connected client. So after a client has opened a TCP connection on port 4000, they will receive the output of ls.
This makes netcat listen on port 4000. Leave this session alone for now.
这使得netcat在端口4000上进行侦听。暂时不进行此会话。
Open another terminal session on the same machine.
在同一台计算机上打开另一个终端会话。
Since I’ve opened a TCP port, I’ll use telnet to check for TCP Connectivity. If the command doesn’t exists, again, install it using your package manager.
So input your server IP and the port number, which is 4000 in my case, and run this command.
因此,输入您的服务器IP和端口号(在我的情况下为4000) ,然后运行此命令。
telnet localhost 4000
This tries to open a TCP connection on localhost on port 4000.
这会尝试在端口4000的localhost上打开TCP连接。
You’ll get an output similar to this, indicating that a connection has been established with the listening program (nc).
您将获得类似于此的输出,表明已与侦听程序( nc )建立了连接。
Check Port Using Telnet
使用Telnet检查端口
As you can see, the output of ls (while.sh in my case) has also been sent to the client, indicating a successful TCP Connection!
如您所见, ls (在我的情况下为while.sh )的输出也已发送到客户端,表明TCP连接成功!
To show you that the port is indeed open, we can use nmap to check this.
为了告诉您端口确实是开放的,我们可以使用nmap进行检查。
nmap localhost -p 4000
Check Open Port
检查开放端口
Indeed, our port has been opened! We have successfully opened a new port on our Linux system!
确实,我们的港口已经开放! 我们已经在Linux系统上成功打开了一个新端口!
NOTE: nmap only lists opened ports which have a currently listening application. If you don’t use any listening application such as netcat, this will display the port 4000 as closed, since there isn’t any application listening on that port currently. Similarly, telnet won’t work either, since it also needs a listening application to bind to. This is the reason why nc is such a useful tool. This simulates such environments in a simple command.
But this is only temporary, as the changes will be reset every time we reboot the system.
但这只是暂时的,因为更改将在每次重新引导系统时重置。
每次重启后都需要更新规则 (Need to update rules after every reboot)
The approach presented in this article will only temporarily update the firewall rules until the system shuts down/reboots. So similar steps must be repeated to open the same port again after a restart.
The ufw rules are not reset on reboot, so if you’re a Ubuntu user, you need not worry about this part!
ufw规则不会在重启时重置,因此,如果您是Ubuntu用户,则不必担心这部分!
This is because it is integrated into the boot process and the kernel saves the firewall rules using ufw, via appropriate config files.
这是因为它已集成到引导过程中,并且内核使用ufw通过适当的配置文件保存了防火墙规则。
对于防火墙 (For firewalld)
As mentioned earlier, firewalld also suffers from the same problem, but this can be avoided by appending a --permananent flag to the initial command, when opening a port or setting any other rule.