1

Problem: I am trying to determine which ports to open for specific programs

I have a number of programs that need to access services on remote hosts, but I don't know which ports they are trying to use for the purpose. Rather than opening the firewall up to 0-1024 (or 0-65k), I would like to identify which ports a program uses while it runs.

The first program to check is kinit. From the documentation I gather that I need to open port 88 for inbound udp traffic and port 88 for outbound tcp and udp traffic. But this does not seem to be enough, as the program responds with

kinit: Resource temporarily unavailable while getting initial credentials

Opening up all ports results in a correct authentication flow for kinit:

Using default cache: /tmp/krb5cc_16381
Using principal: *****@******.******.***
Password for *****@******.******.***:
Authenticated to Kerberos v5

I know about how to use lsof, netstat and ss for retrieving the open ports for processes that bind for longer duration of periods to ports, but especially kinit seems to elude this listing, even when used together with a tool such as watch.

Edit: The accepted answer immediately showed me the culprit: DNS;

strace -e trace=connect kinit <user>@<kdc>
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("<kdc_ip>")}, 16) = 0

Opening this port fixed the problem with Kerberos

Steen
  • 127
  • 7
  • What programs are they? Do they have config files? – Nasir Riley Aug 24 '20 at 14:34
  • why don't you just log dropped packets with iptables or firewalld?. Also make sure to check this link from Kerberos MIT to configure your firewall: https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Configuring-Your-Firewall-to-Work-With-Kerberos-V5.html. Also of course make sure you allow ports for udp. – Lorem ipsum Aug 24 '20 at 15:19
  • @NasirRiley: in principle any program that does network traffic, but in this particular case I selected kinit because of its characteristics as a program that is not long running – Steen Aug 26 '20 at 11:52
  • @LukasRäpple: Thats a good suggestion that wasn't obvious to me, so thanks. I think it is similar to the answer given by @cscracker but the `strace` approach worked better for me and was simpler to use – Steen Aug 26 '20 at 11:53

2 Answers2

4

You could try strace:

strace -e trace=connect your_program with arguments

Here is an example output:

$ strace -e trace=connect ssh somehost -p 8081
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(8081), sin_addr=inet_addr(<host ip address>)}, 16) = 0
connect(4, {sa_family=AF_LOCAL, sun_path="/run/user/1000/keyring/ssh"}, 110) = 0

The lines you need are those with the sa_family=AF_INET.

ilkhd
  • 66
  • 1
  • Beware that `strace` has a huge overhead and is not recommended on production systems: http://www.brendangregg.com/blog/2014-05-11/strace-wow-much-syscall.html – Juraj Martinka Aug 24 '20 at 19:03
1

You can configure your iptables rules to log traffic, and see exactly what traffic was being sent at the time you ran a given program. This won't work well on a busy system, as it doesn't actually tell you which program sent which traffic, but on a light load, you should be able to piece together what's happening.

Example for input and output:

iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT:DROP:" --log-level 6
iptables -A OUTPUT -j DROP

There are a lot more options and features if you want to get more complex, too.

cscracker
  • 111
  • 2
  • Nice suggestion. However, the `strace` command gave me immediate and by default filtered output, so that worked better in this case. Thanks for the answer, though. – Steen Aug 25 '20 at 12:56