How to check open ports on Raspberry Pi

Raspberry Pi devices are commonly used to host a variety of lightweight services as they can do so very affordably. A simple example would be a web server, which handles user requests whenever someone navigates to a website. In order to make sure these services are accessible either on the local network or over the internet, we must make sure that the corresponding ports are open. Checking for open ports is also an essential security task that all administrators should perform in order to make sure that their Raspberry Pi only has the ports open that are necessary.

Otherwise, you could be unaware of outside connections being made to your Raspberry Pi, which consumes bandwidth and resources, along with being a potential security hole. In this tutorial, you will see how to check for open ports on a Raspberry Pi. This can be done with several different command line utilities, which we will go over in detail. We will also see how to use Raspberry Pi’s firewall to make sure ports are secure. So, do you know which ports of your Raspberry Pi are open? Let’s find out.

In this tutorial you will learn:

  • How to check for open ports with ss command
  • How to check for open ports with Nmap utility
  • How to check for and add allowed ports in nftables firewall
How to check open ports on Raspberry Pi
How to check open ports on Raspberry Pi
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Raspberry Pi
Software ss, Nmap, nftables firewall
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Check for open ports with ss command

The ss command can be used to show which ports are listening for connections on your Raspberry Pi. It also shows which networks it’s accepting the connections from.

The ss command replaced the older netstat command on Linux. You can still install and use the netstat command to check for open ports as well.

We recommend using the -ltn options with the command to see concise and relevant output. Let’s look at an example on our Raspberry Pi.

$ sudo ss -ltn
State      Recv-Q     Send-Q         Local Address:Port            Peer Address:Port     Process     
LISTEN     0          4096          *                    
LISTEN     0          5                *                    
LISTEN     0          70             *                    
LISTEN     0          151             *                    
LISTEN     0          5                      [::1]:631                     [::]:*                    
LISTEN     0          511                        *:80                         *:* 

We can see that our Raspberry Pi is listening for connections on port 80, 3306, and 33060. These are the well known ports associated with HTTP and MySQL.

You will also see that the ss output shows ports 53 and 631 are in a listening state. These are for DNS and Internet Printing Protocol, respectively. These are enabled by default, so you’ll likely see them listening on your own Raspberry Pi. The DNS port isn’t actually open, but rather it provides name resolution to applications installed on our system.

To see which processes these listening ports belong to, include the -p option in your command.

$ sudo ss -ltnp
State    Recv-Q   Send-Q      Local Address:Port        Peer Address:Port   Process                                      
LISTEN   0        4096     *       users:(("systemd-resolve",pid=530,fd=13))   
LISTEN   0        5         *       users:(("cupsd",pid=572,fd=7))              
LISTEN   0        70      *       users:(("mysqld",pid=2320,fd=32))           
LISTEN   0        151      *       users:(("mysqld",pid=2320,fd=34))           
LISTEN   0        5                   [::1]:631                 [::]:*       users:(("cupsd",pid=572,fd=6))              
LISTEN   0        511                     *:80                     *:*       users:(("apache2",pid=2728,fd=4),("apache2",pid=2727,fd=4),("apache2",pid=2725,fd=4))

Now we can see that systemd-resolve, cupsd, mysqld, and apache2 are the services that are utilizing the ports to listen for incoming connections.

Check for open ports with nmap

Nmap is a network reconnaissance tool that can be used to check for open ports on remote hosts. However, we can also use it to check our own Raspberry Pi to get a quick list of what ports are open.

Normally, we would specify a remote IP address for Nmap to scan. Instead, we can scan our own Raspberry Pi system by specifying localhost in the command.

$ sudo nmap localhost
Starting Nmap 7.80 ( ) at 2023-07-01 18:33 EST
Nmap scan report for localhost (
Host is up (0.000013s latency).
Not shown: 997 closed ports
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

Check what ports are open in nft firewall

There’s a big caveat you should keep in mind. When using the ss or nmap localhost commands on our Raspberry Pi, we’re bypassing the firewall. Indeed, these commands show ports that are in a listening state, but that doesn’t necessarily mean that the ports are open to the internet, because our firewall may be denying connections.

Check on the status of nftables to see if it is currently running:

$ sudo systemctl status nftables.service

Then, check the currently configured nftables firewall rules:

$ sudo nft list ruleset

In case you need to add an exception for some ports – HTTP and MySQL in our case, we can use the following command syntax to add these exceptions to the nftables firewall and make sure the ports are accessible on our Raspberry Pi:

$ sudo nft add table inet filter
$ sudo nft add rule inet filter input tcp dport \{ http, mysql \} accept

Now our two ports are open in the firewall and in a listening state.

Closing Thoughts

In this tutorial, we saw how to check for open ports on a Raspberry Pi system. This included using the ss command, as well as the nmap utility to check for listening ports. We also learned how to check the nftables firewall to see what ports are open, and add exceptions if necessary.

If a port is in a listening state and is allowed through the firewall, it should be open to incoming connections. But this is also dependent on your router or other network devices sitting between your Raspberry Pi and the internet, since they may have their own rules that block incoming connections.

Comments and Discussions
Linux Forum