Network ports

From Linuxintro

In TCP and UDP networks, ports are used for communication to/from services. For example, postfix's implementation of smtp runs as a process called "master" and by default listens on TCP port 25. The HTTP protocol typically listens on TCP port 80.

You can find a listing of ports as they are translated to services in /etc/services.

A port on a specific computer is called a socket. It can be open, closed, listening or have a connection established.

Exploring the concept

using lsof

As discussed, a web server listens on port 80 (http) by default. To test this, you can install and start the web server apache, in this example for SUSE Linux:

yast -i apache2
/etc/init.d/apache2 start

You will find that apache is indeed listening on port 80:

lsof -i
COMMAND    PID   USER   FD   TYPE DEVICE SIZE NODE NAME
...
httpd2-pr 8456 wwwrun    3u  IPv4  49805       TCP *:http (LISTEN)

This tells us that the process httpd2-pr(efork) is listening on the http port, running as user wwwrun for TCP connections. httpd2-prefork is part of the apache2 package:

rpm -qf $(which httpd2-prefork)
apache2-prefork-2.2.3-20

using nmap

You can watch if the port is open to a given computer, e.g. there is no firewall between it:

nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-11-23 12:38 CET
Interesting ports on localhost (127.0.0.1):
Not shown: 1677 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind

Nmap finished: 1 IP address (1 host up) scanned in 0.272 seconds

This tells us that we can query port 80 on our local computer. You can also run nmap for remote computers.

using netstat

Show the connections that involve the http port

netstat -putan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2873/portmap
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      8455/httpd2-prefork
...

This shows that the process is listening on port 80. I also shows ESTABLISHED for established connections.

using telnet

To talk directly with your http server, you can use telnet or netcat: You submit:

telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /index.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Thorsten
Host: localhost
Connection: Keep-Alive

The server responds:

HTTP/1.1 200 OK
Date: Sun, 23 Nov 2008 12:02:24 GMT
Server: Apache/2.2.3 (Linux/SUSE)
Last-Modified: Sun, 23 Nov 2008 11:59:52 GMT
ETag: "311cfd-26-412de00"
Accept-Ranges: bytes
Content-Length: 38
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

<html><body>hello world</body></html>

Of course, the content of the html file you receive can be different from hello world. It is just the content of your webpage.

firewall

You understand that the apache service open a socket on port 80 and listens on it for incoming connections. Now a firewall is just a rule for the Linux kernel that closes one or more ports, so no incoming traffic is allowed on them.

See also