We open ports on the router ourselves. How to check if a port is open Program for connecting to a specified port

A port in computer networks is a natural number that is written in the OSI protocol header. It is designed to identify the recipient process of a packet on a single host.

Typically, in user space on a host with an installed OS, several processes occur simultaneously, and in each of them a specific program runs. If these programs affect the computer network, the “shell” from time to time receives an IP packet through it that is intended for one of the programs.

How it works?

If the program uses network communication, this process can occur as follows:

• The OS is asked for a specific port number. In this case, the system can either provide it to the program or prohibit transmission (this happens in cases where this port number is already used by another application).
• The OS is asked for an unspecified port number, any free one. The system itself selects it and provides it to the program.

• IP addresses of the recipient and sender hosts (required for a route to be built between them);
• Protocol number;
• Both port numbers (receiver and sender).

If the connection occurs over the TCP protocol, then the sender port is used both by the recipient OS to send confirmation of received data, and by the recipient process to send a response.

Open and closed ports

From the sender's side, the host and port number act as an analogue of the return address, which is indicated on the envelopes. This number is called the reverse number.

In cases where any process on the host constantly uses the same port number, such a port is considered open. For example, a program associated with a server might use 80 or 8080 for communication all the time. When a process cannot, it is considered closed.

Port numbers

All ports have their own numbers registered in the prescribed manner. Each of them is designed for its specific purpose. So, when working on the Internet, you can often see port 8080. Why is this functionality needed?

According to official data, this port operates over the TCP protocol and is intended for use with HTTP. Unofficially, it is also used by the Tomcat servlet container written in Java.

TCP port 8080 may use a specific protocol for communication, depending on the application. A protocol is a set of formalized rules that explains how data is transmitted over a network. It can be thought of as a language that is used between computers to help them communicate more efficiently.

The HTTP protocol, which runs over 8080, defines the communication format between Internet browsers and websites. Another example is the IMAP protocol, which defines the communication between IMAP mail servers and clients or, finally, which specifies the format used for encrypted messages.

Data transfer

Therefore, TCP port 8080 uses the Transmission Control Protocol. It is one of the main protocols in TCP/IP networks. While the IP protocol only deals with packets, TCP allows two hosts to establish a connection and exchange data streams. It guarantees their delivery, and also that the packets will be delivered to port 8080 in the same order in which they were sent. Guaranteed communication over 8080 is the key difference between TCP and UDP. UDP 8080 would not guarantee a connection the same way.

How to open port 8080 in Windows 7?

To do this, go to the Start menu and find Control Panel. In it you need to click on the “Network” submenu and find “Firewall” in it. In the “Exceptions” tab, find the “Add port” item. A dialog box will open in which you will need to enter the port number. Make sure the settings are set to TCP, then select OK.

How to close port 8080? To do this, just configure the connection to another specific port.

Advanced HTTP and TCP proxy configuration

The HTTP protocol runs on top of the TCP protocol, but provides additional information about the destination of the message. For this reason, the two proxies are configured differently.

HTTP traffic includes a destination host and a port for the message. It is sent over a TCP connection to a TCP endpoint, that is, between a specific host and port. Typically, the HTTP message points to the same endpoint as the TCP connection. If you change the client configuration to use an HTTP proxy, the connection is made to a different host and port than the one specified in the HTTP URLs. This means that the TCP endpoint in the message is different from the endpoint to which it is connected.

For example, if an HTTP request is sent to the page http://192.0.2.1:8080/operation, the request includes "192.0.2.1:8080" in the "Host" header of the HTTP message, which is sent to port 8080 on host 192.0. 2.1.

However, if you configure the HTTP client to use a proxy, the underlying TCP connection goes to the TCP endpoint for it while the messages still contain the original endpoint.

For example, if you configure the client to send its messages to the proxy server at 198281.100.1 port 3128, and the client sends a request for http://192.0.2.1:8080/operation, the message still contains "192.0.2.1:8080" in the "Host" header and now also in the "Request-Line" field. However, this message is now sent over a TCP connection to 198.51.100.1:3128. So an HTTP proxy can receive messages on one port (proxy port 8080) and can forward them to several different services based on the recipient information.

How to configure accepting connections through port 8080?

So, the "Host" header was added in HTTP/1.1. HTTP/1.0 connections do not include it. For this reason, such connections that do not go through a proxy do not include a host and port for the message. However, HTTP/1.0 information sent through the proxy still contains the target host and port in the "query string". Therefore, the absence of a "Host" header does not cause a problem for the proxy.

To enable the TCP proxy, you must change the client configuration from a real-time TCP endpoint to a replacement endpoint. Unlike HTTP, this protocol does not provide built-in proxy functionality. That is, if you connect to a proxy server via TCP, there is no mechanism for transmitting information to the final destination.

How to set up multiple connection using 8080?

The only way for a TCP proxy to allow connections to multiple systems (that is, destination endpoints), regardless of what traffic is sent on those connections, is to listen on a different port for each of the systems. This allows you to connect and maintain information about which of its port numbers corresponds to each endpoint. The client is then configured with a proxy port corresponding to each system it needs to connect to. for listening and their corresponding endpoints are configured in statements in the proxy configuration file, RTCP_install_dir/httptcp/registration.xml. First of all, you need to check port 8080 - if it is open by default, further settings will be made in a few minutes.

In this example, 198.51.100.1 is the proxy server IP address. Any traffic sent to port 3333 to the proxy server is sent to port 8080 at: www. Example. com:

Therefore, you must change the client configuration file whenever you add a new destination for traffic. This limitation does not apply to HTTP proxies.

Interaction between HTTP and TCP

To understand how ports are handled in HTTP and TCP proxies, assume you have two services running on 192.0.2.1:8080 and 192.0.2.1:8081, and a proxy running on 198.51.100.1. If they differ in IP address rather than port number, this example is the same except for the corresponding address for each service. If they are listening for HTTP traffic on one HTTP proxy port, requests to both TCP endpoints can be sent to it. When HTTP sees that a message is addressed to 192.0.2.1:8080, the proxy redirects the message to that address or applies whatever rules it has for that service. The same procedure applies to 192.0.2.1:8081 using the same port.

If these two services instead listen for TCP traffic, the two TCP proxy ports defined by the two elements must be open in the configuration file:

The client configuration for the first service changes from "192.0.2.1:8080" to "198.51.100.1:3333", and for the second - from "192.0.2.1:8081" to "198.51.100.1:3334". The client sends a message (TCP packet) to the first service at the first address.

The proxy server receives it on this port (3333), but does not know what data is being sent on this connection. All it knows is that it is connecting to port 3333. So the proxy server consults its configuration and sees that traffic on that port should be forwarded to 192.0.2.1:8080 (or that a rule for that service should be applied to it). If you cannot redirect all your HTTP traffic because the client configuration does not support the HTTP proxy configuration, you must use an HTTP reverse proxy.

In it, instead of the target URL, you specify the one you need. This process is similar to the process of configuring a TCP proxy in which you specify it as the TCP endpoint for a message on the client system and create a forwarding rule.

The difference is that you add a type attribute to the rule defining HTTP, as in the following example: .

How is the traffic flowing?

The proxy is now configured to only accept HTTP traffic on the designated port, and can apply richer filtering. For example, the server might filter traffic to a stub that does not have a specific path in its URL, or that does not use a specific HTTP method, such as POST. However, since the stub doesn't always work, the server still needs the destination from the element to be able to send traffic to the system. For example, suppose a client needs to connect to a service on 192.0.2.1:8080 and use an HTTP reverse proxy on 198.51.100.1:3333.

Before a client can use a proxy server, the client configuration for that service must be changed from a URL such as http:// 192.0.2.1:8080/ operation to http:// 198.51.100.1:3333/ operation. The request that is sent to this new URL ends up in the proxy server.

The request message contains the TCP endpoint for the proxy (198.51.100.1:3333) in the Host header rather than the system address because the client does not know that it is sending a redirected message. This simplified client role defines the nature of such a connection. So the proxy uses the elements to know that a request arriving on port 3333 requires one of the following: it must be forwarded to the live system at 192.0.2.1:8080 and the "Host" header in the message must be updated. The message must apply all the rules of that service, such as routing to a stub.

By default in all Windows operating systems to connect using the protocol RDP ( Remote Desktop Protocol / Remote Desktop ) uses the port TCP 3389 .

If your computer is connected directly to the Internet (for example, a VDS server), or you have configured port 3389/RDP on your border router to the local network on a computer or server running Windows, you can change the standard RDP port 3389 to any other. By changing the RDP port number for connection, you can hide your RDP server from port scanners, reduce the likelihood of exploitation of RDP vulnerabilities (the latest critical vulnerability in RDP BlueKeep is described in), reduce the number of attempts to remotely guess passwords via RDP (does not forget periodically), SYN and others types of attacks (especially with ).

Replacing the standard RDP port can be used when behind a router with one white IP address there are several Windows computers to which you need to provide external RDP access. On each computer, you can configure a unique RDP port and configure port forwarding on the router to local computers (depending on the RDP port number, the session is redirected to one of the internal PCs).

When choosing a non-standard port number for RDP, note that it is advisable not to use port numbers in the range 1 to 1023 (known ports) and dynamic ports in the RPC range (49152 to 65535).

Let's try changing the port on which the Remote Desktop service listens for connections to 1350 . For this:

1. Open the registry editor and go to the branch HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp;
2. Find DWORD registry value named PortNumber. This parameter specifies the port on which the Remote Desktop service listens for connections;
3. Change the value of this port. I changed the RDP port to 1350 in decimal value (Deciamal);
4. If Windows Firewall is enabled on your computer, you must create a new rule to allow incoming connections to the new RDP port (if you reconfigure a remote server via RDP without creating a rule in the firewall, you will lose access to the server). You can create an allow incoming rule for a new TCP/UDP RDP port manually from the 'Windows Defender Firewall' console ( firewall.cpl) or using: New-NetFirewallRule -DisplayName "New RDP Port 1350" -Direction Inbound -LocalPort 1350 -Protocol TCP -Action allow AND: New-NetFirewallRule -DisplayName "New RDP Port 1350" -Direction Inbound -LocalPort 1350 -Protocol UDP -Action allow
   
5. Restart your computer or restart the Remote Desktop Service with the command: net stop termservice & net start termservice
   
6. Now, to connect to this Windows computer via RDP, in the mstsc.exe client you need to specify the RDP connection port via a colon as follows: Your_Computer_Name:1350 or by IP address 192.168.1.100:1350 or from the command line: mstsc.exe /v 192.168.1.100 :1350
   

   If you use RDP connection manager to manage multiple RDP connections, the RDP port number you specify for the connection can be specified on the “Connection Settings” tab.
   

7. As a result, you will successfully connect to the desktop of the remote computer using the new RDP port number (using the nenstat –na | Find “LIST” command, make sure that the RDP service is now listening on a different port).
   

The complete PowerShell script for changing the RDP port, creating a rule in the firewall and restarting the RDP service on the new port might look like this:

New-NetFirewallRule -DisplayName "New RDP Port $RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol UDP -Action Allow

Write-host "RDP port number changed to $RDPPort " -ForegroundColor Magenta

You can change the RDP number remotely on multiple computers in an AD domain (specific OU) using Invoke-Command and :

Write-host "Specify the new RDP port number: " -ForegroundColor Yellow -NoNewline;$RDPPort = Read-Host
$PCs = Get-ADComputer -Filter * -SearchBase "CN=DMZ,CN=Computers,DC=winitpro,DC=ru"
Foreach ($PC in $PCs) (
Invoke-Command -ComputerName $PC.Name -ScriptBlock (
param ($RDPPort)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value $RDPPort
New-NetFirewallRule -DisplayName "New RDP Port $RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "New RDP Port $RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
Restart-Service termservice -force
}

These instructions for changing the standard RDP port are suitable for any version of Windows, from Windows XP (Windows Server 2003) to Windows 10 (Windows Server 2019).

Sometimes a user has a situation when it is necessary to open one or another computer port for video games, complex programs or special Internet clients. But how can you check if this port is currently open? There are several options for solving such problems.

I. CHECKING OPEN PORTS ON A LOCAL COMPUTER

Method 1. In order to check open ports on your local (your) computer, you can use the “Command Line” of the Windows operating system (

To call this line, you need to press the Win+R key combination and enter the “cmd” command, then click “OK”.

In the window that opens, enter the special command “netstat -a” and read the list of open ports on your computer.

Method 2. If you are connected to the Internet, you can check if the port is open on the website

whatsmyip.org/port-scanner/

This resource will determine your IP address itself, and you can scan ports through a special field “ Custom Port Test».

Enter the port you are interested in and click the " Check Port", after which you will receive an answer whether this port is open or closed.

II. CHECKING OPEN PORTS ON A REMOTE COMPUTER

Now let's look at how to check if a port is open on a remote computer or server. Use the same “Command Line” in Windows, but now write the telnet command in the format:

telnet IP address port

Press the Enter key. If there is no “Could not open...” entry, then the requested port is open, otherwise it is closed.

We briefly looked at how to check if a port is open on a computer. If you have any questions, please ask them in the comments field.

What does the port check result mean?

Status Port closed

It is not possible to connect to this port at this time. Malicious programs or attackers cannot use this port to attack or obtain confidential information (the material 4 best free antiviruses for Windows 10 will help you). If all unknown ports have the “closed” status, this means that the computer is well protected from network threats.

If the port should be open, then this is a bad indicator. The reason for the unavailability of the port may be incorrect configuration of the network hardware or software. Check the program's network access rights in the firewall. Make sure the ports are forwarded through the router.

The "port closed" result can also be obtained if the port is open, but your computer's network response time (ping) is too high. It is practically impossible to connect to the port in such conditions.

Status Port is open

You can connect to this port; it is accessible from the Internet. If that's what you need, great.

If the reason why the port may be open is unknown, then it is worth checking the running programs and services. Perhaps some of them quite legally use this port to work with the network. There is a possibility that the port is open due to the operation of unauthorized/malware software (the material How to enable protection against potentially unwanted programs in Windows Defender will help you). In this case, it is recommended to scan your computer with an antivirus.

F.A.Q.

What kind of ports? What are they needed for?

The ports that PortScan.ru checks are not physical, but logical ports on a computer or network device.
If a program or service plans to work with a network, it opens a port with a unique number through which it can work with remote clients/servers. In fact, the network program reserves a certain number for itself, which allows you to understand that the incoming data is intended specifically for this program.

In human language it would sound something like this: “I, the server program, open port number 1234. If data with port number 1234 arrives via the network cable, this is for me.”

What port numbers can the program open?

Ports are identified by numbers from 0 to 65535 inclusive. Any other port cannot be opened, and therefore cannot be checked either. These are limitations of the TCP/IP protocol.

It is worth noting that the client program must always know the port number to which it needs to connect on the server or other remote network device. For this reason, ports in the range from 0 to 1023 are reserved for the most popular protocols.

So, for example, when surfing the Internet, your browser connects to port 80 on the remote server on which the site is located. In response, the browser receives a set of code and data, which it downloads and displays as a web page.

For what situations is it possible to check open ports?

Checking open ports is possible if your computer is assigned an external IP address. You can find out more about this from your Internet service provider.

It is worth considering that if your computer is connected to the Internet not directly, but through a router (router), then the test results apply specifically to the router. It is possible to check the port status of a computer inside such a subnet only if port forwarding is available.

What is port forwarding?

Port Forwarding (sometimes Virtual Servers) is a special setting on the router that allows you to redirect external requests (from the Internet) to computers on the local network. Essentially, this is a way to specify which local computer to forward data and connection requests that come on a specific port.

Let's say you have a gaming or web server at home, connected via a router to the Internet. All computers connected to the same router are on the same network, so they will be able to connect to this server. However, from the outside, from the Internet, it will no longer be possible to connect to your server without port forwarding.

If your computer is connected to the Internet directly (without a router), then port forwarding is not required. All your open ports must be accessible from the Internet (with a dedicated IP, of course).

How can I find out which ports are open on my computer?

For Windows: Start → "cmd" → Run as administrator → "netstat -bn"
For Linux: In the terminal, run the command: "ss -tln"

How to close a port?

First of all, you need to eliminate the cause - the running program or service that opened this port; it needs to be closed/stopped. If the reason for an open port is not clear, check your computer with an antivirus, remove unnecessary port forwarding rules on the router and install an advanced firewall.

A common task: setting up remote access to a computer that is connected to the Internet via a router.

Solution: do port forwarding on the router. Port forwarding is also called publication of the port or port forwarding. In English terminology the terms are used Port Forwarding And Port Publishing.

What is port forwarding

Port redirection is the mapping of a specific external port of a gateway (router, modem) to the desired port of a target device on the local network (server, workstation, network storage, camera, recorder, etc.)

But which port to forward depends on how you want to access the computer.

How to set up remote access via RDP (remote desktop, terminal)

RDP connections are made to port 3389 of the target computer. What should be done:

Step 1 Allow incoming RDP connections on the computer

Attention! It is possible to make INCOMING connections via Remote Desktop to the following editions of Windows OS:
Windows XP Professional;
Windows 7/8.1 Professional;
Windows 7/8.1 Ultimate;
Windows 7/8.1 Corporate.

In Windows XP Starter, Home Edition, in Windows Vista/7/8/8.1 Starter, Home Basic, Home Premium there is no possibility of incoming connections.

To do this we open Properties of the system(WIN+Break), click on the link Additional system parameters:

Go to the tab Remote access, put the switch in position Allow connections to this computer, uncheck Allow connections only from computers running Remote Desktop with network level authentication (recommended) and click OK to apply the setting:

Step 2 Create an account on the computer under which the remote desktop user will connect.

Requirement No. 1. This the account must have a password. According to the default settings of the local security policy, accounts without a password are prohibited from connecting via RDP. It is not recommended to allow remote access to non-password-protected accounts in security policies. This will create a threat of unauthorized access from intruders.

Requirement No. 2. If the user is NOT an administrator on the local computer, he must be added to the group. This can be done in two ways.

How to allow a user without administrative privileges to connect to a remote desktop

Method one.

Right click on the system shortcut This computer and select Control:

In the window Computer management select Local users and groups => Users:

Find the desired user in the list and double-click to open its properties:

Go to the tab Group Membership and press the button Add:

Click the button Additionally:

Then, button Search:

Select a group from the list Remote Desktop Users and press OK:

In the windows Group selection And Properties:<пользователь> click OK:

Method two.

Open system properties (Win+Break), click Extra options:

Go to the tab Remote access and press the button Select users:

Click the button Add:

Click Additionally:

And Search:

In the list, select the user account to which you want to grant remote access rights and click OK:

Now click OK in the following two windows:

Step 3 Create a forwarding rule on the router, according to which, when a request is made on a given port, the connection will be redirected to port 3389 of the desired computer.

In D-Link routers, the required section may be called Virtual Server, as in D-Link DIR-615:

Also, it may be called Port Forwarding, as, for example, in DIR-300:

The essence is the same:

1. We give an arbitrary name to the rule;
2. Open a non-standard port on the router that is not occupied (field Public Port);
3. We indicate the IP address of the target computer on the network where the remote user should go (field IP Address);
4. We indicate the port number through which the application or service runs on the computer. In our case, for the Remote Desktop Server service this is port 3389 (field Private Port).

If your ISP gives your router a dynamic address, you can conveniently use the Dynamic DNS service. D-Link has its own service where you can register an Internet address (i.e. domain) for free and set up access to your router and local network through it.

To configure Dynamic DNS, go to the section MAINTENANCE, select subsection DDNS Settings and click on the link Sign up... to go to the site and register a domain. Then set up synchronization of the domain with the router's IP address in the area DYNAMIC DNS SETTINGS and save the settings with the button Save Settings:

After this, you can connect not by IP address, but by an address like your-adres.dlinkddns.com:port

Checking the connection to the computer via remote desktop

Start the Remote Desktop Server client:

In field Computer Enter the address and port separated by a colon. In field User enter your username and click the button To plug:

Check the box and click the button To plug:

Now enter the user password, check the box Remember credentials, if you don't want to enter your password every time, and press OK:

After this, a message may appear:

Here you can check the box Don't ask for connections to this computer again and press Yes:

Port assignment is a method of forwarding packets from any port on a local network interface to a specified host (computer) and port on the Internet, or forwarding packets from any unoccupied port from an external (Internet address) to a specified host (computer) and port on the local network.

The operation of this service is very simple and is usually used if it is impossible or advisable to use NAT or an HTTP proxy, or if it is better not to change the default gateway on client machines. Also, very often this scheme looks more understandable to many users than configuration via NAT.

Let's look at several common examples of configuration through port assignments.

Attention! Port assignments and public mail servers, such as mail.ru, yandex.ru, gmail.com, which require connection via secure communication channels, will not work with The Bat program. The problem lies in The bat program itself, because... There you cannot accept certificates and add them to exceptions so that they work normally and always. Through the assignment of ports, for example, "Mozilla Thunderbird" will work normally.

• Mail settings.

As you know, there are two services for exchanging email messages - POP3 (RUS) And SMTP (RUS). They use TCP ports 110 and 25 respectively. To send client requests using these protocols to the Internet through port assignments, you need to create two assignments.

For example, for a POP3 server we will most likely use an unoccupied local port - 9110, and for SMTP - 9025. We will configure it for the popular free mail - mail.ru.

Open the “Services - Port Assignment” page in the administrator console and click the “Add” button:

We select the IP of the local network card as the listening interface, port 9110. As the destination, enter the address pop.mail.ru and specify port 110:

Click the "Add" button again and specify the parameters for the SMTP server. We select the IP local network card as the listening interface and specify port 9025, and as the destination we register the address smtp.mail.ru and specify port 25.

Now you need to open the properties of the mail client on the client machine and enter the settings for assigning ports there.

For example, for The Bat program the setting will be like this:

• Setting up remote access from the Internet to a local network computer,
  for example, for the program R-admin (RUS) or RDP (RUS).

Typically, the ports that are used for these two programs (4899 TCP for R-admin and 3389 TCP for RDP) are already occupied by the server itself on which UserGate is installed, so we recommend that you use any others.

Let's select port 9999 for the RDP service, and port 9998 for the R-admin program.

In our example, the local subnet is the 192.168.2.X subnet and the computer being accessed from the Internet has an IP address of 192.168.2.45.

We create a rule in accordance with our current network configuration. We specify our external interface as the listening address. If you have a connection to a PPPoE, VPN or Dial-Up provider, then specify to listen to any interface, port 9998 for R-admin:

A remote connection from the Internet to a machine on the local network in this case will look something like this:

• for R-admin we specify the external IP address of the machine with UserGate - 172.19.169.7 and port 9998.
• for RDP we specify the external IP address of the machine with UserGate - 172.19.169.7 and port 9999.