Blocking Open Ports with Firewalls
Learn how to block open ports on a Linux server using firewalls. We will learn how to create firewall rules with iptables.
Table of Contents 📖
What is an Open Port?
Open ports are ports that accept external traffic, allowing communication with the technologies running there. For example, a web server running on port 80 accepts user connections and sends back the web application content.
INFO: A port isn't open if there isn't a service listening for a connection on it.
However, ports should only be open if they are needed. For example, database ports do not need to be open to the public. A single bug in the database or a weak password can allow someone to access and query the database. We can list the open ports on a machine by using the lsof command.
lsof -i -P -n | grep LISTEN
exim4 628 Debian-exim 3u IPv4 492657 0t0 TCP 127.0.0.1:25 (LISTEN)
exim4 628 Debian-exim 4u IPv6 492658 0t0 TCP [::1]:25 (LISTEN)
docker-pr 5845 root 4u IPv4 2202056446 0t0 TCP *:8003 (LISTEN)
docker-pr 5850 root 4u IPv6 2202056451 0t0 TCP *:8003 (LISTEN)
docker-pr 5997 root 4u IPv4 2202087466 0t0 TCP *:8001 (LISTEN)
docker-pr 6002 root 4u IPv6 2202087471 0t0 TCP *:8001 (LISTEN)
sshd 24218 root 3u IPv4 2390739936 0t0 TCP *:22 (LISTEN)
sshd 24218 root 4u IPv6 2390739938 0t0 TCP *:22 (LISTEN)
docker-pr 31099 root 4u IPv4 2096211840 0t0 TCP *:443 (LISTEN)
docker-pr 31104 root 4u IPv6 2096211847 0t0 TCP *:443 (LISTEN)
docker-pr 31119 root 4u IPv4 2096205113 0t0 TCP *:80 (LISTEN)
docker-pr 31124 root 4u IPv6 2096205118 0t0 TCP *:80 (LISTEN
Blocking Ports with Firewalls
We can use a firewall to block the port on a network level without closing the application. A firewall is a network security device that monitors and controls network traffic. Firewalls are configured to follow a set of rules. Linux provides us with iptables, a utility command to manage firewalls. Lets use iptables to create some rules that drop packets destined for ports 8001 and 8003.
iptables -t filter -A INPUT -p tcp --match multiport --dports 8001,8003 -j DROP
This tells our server to drop any incoming packets to ports 8001 and 8003.
INFO: iptables consists of tables, tables are the name for a set of chains, a chain is a collection of rules, and a rule is a condition placed on packets.
- -t - Specifies the table. Filter is the default table and is used for packet filtering.
- -A - Appends the rule to the end of the chain.
- INPUT - Specifies that this rule is for incoming packets, packets going to our server.
- -p - Specifies the protocol. Can be one of tcp, udp, icmp, or all.
- --match multiport - Specifies that we want to match multiple ports.
- --dports - Specifies the destination ports.
- -j - The action taken if the packet matches the rule. DROP makes the connection appear to be unoccupied.
After running this command, any attempts to connect to ports 8001 and 8003 will create a connection timeout. We can list the firewall rules using the following command:
iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- anywhere anywhere multiport dports 8001,8003
- -t - Specifies the table. Filter is the default table and is used for packet filtering.
- -L - Lists the rules in the provided chain. Here we specify the INPUT chain.
- --line-numbers - Print the line numbers of the rules.