Why is it that I don't need port forwarding for my app to work?

Ok, so just to be clear, I don't have any issues at the moment, this question is just to gain some insight and understanding of the topic.

So I have hosted a basic Linode Nanode Ubuntu 20.04LTS server and when I run my python developed socket based server on it, I am able to successfully connect to the server from my client application without needing to setup any port forwarding.
Why is it that I did not need to setup any port forwarding for it to work?

This question here, was the closest I could find to answering my own question, but I'm not sure how relevant it is and it lacks any basic explanation as to answering the why in my question.

Thanks for any help!

6 Replies

In your linked post, @evaldez stated the following:

We don't block any ports when Linodes are created. This means that any software you install would be able to listen via any port you need.

This is still quite relevant. That means when your Linode is created, you are able to access almost any port you want, as you aren't behind a firewall and your Linode's IP addresses are a direct, public connection to the internet.

When you run server software on a computer at your home, you're typically connected to a router. Any IPV4 address your computer receives on that router, such as 192.168.1.2, is internal to the router's network itself. To access the internet, that IP address must be changed to a public address, such as 72.13.3.34. This is done through a process known as Network Address Translation, something your router will handle for you automatically. Anything trying to access your computer at 192.168.1.2 via the internet, and using the public IP address of 72.13.3.34, will require that your router forwards the port you're trying to access to 192.168.1.2.

For a practical example of this explanation, let's say you have a Linode with an IP address of 72.14.173.3. You want to access ssh on port 22, so as to remotely control your Linode. You are able to do so immediately, since your Linode has that IP address assigned to its network card already. No further routing is required. Now, let's say you want to access ssh on your computer behind your router, and its given IP address is 192.168.1.2. You are able to access your computer's ssh server via that IP address using any computer that is connected to the same router. However, when you try and access it from another location at the public address of 72.13.3.34, it will fail. Your router must be instructed to forward all requests to 72.13.3.34 on port 22, to 192.168.1.2 on port 22. Once this is done, you will then be able to access your ssh server from the public internet at 72.13.3.34, port 22.

I hope that information was helpful for you, and assisted you in clarifying the reason why you don't have to forward ports.

Blake

Thanks for the help @tech10
That answered my question, but left me wondering why I see questions like this one, which ask how to open a port etc. Is this question in the link only relevant if a firewall or some other type of security is set up?

One other question:
Should I be looking at blocking non-required ports on the server for security? Would it be recommended to follow this and this guides for security or is the server secure enough as it is?

Glad to help.

Your first link to the question is relevant if you've set up a firewall. I would recommend doing that, as there is no firewall set up by default. You can check out https://www.linode.com/docs/security/firewalls/ guides for help with that.

Your second linked guide is a good one for providing good tips on securing a server and simplifying the process a bit. Fail2ban is another good method for blocking spammers from accessing your server, as it will automatically block failed login attempts from specific IP addresses. It needs a firewall set up to work with it, though, so I'd look into setting up Fail2ban and its procedure first, before you worry about setting up a firewall. You can build your firewall around what Fail2ban requires and close access to everything but those ports you want open. This would prevent any potentially vulnerable services you may not know about, from being accessed by nefarious users or bots.

Good luck, and feel free to ask if you have any further questions.

Blake

@SomewhatSomeone --

You write:

That answered my question, but left me wondering why I see questions like this one, which ask how to open a port etc. Is this question in the link only relevant if a firewall or some other type of security is set up?

Yes.

You also write:

[…] is the server secure enough as it is?

No. Freshly-minted Linodes are NOT(!!!!!) secure at all. This is by design…you typically don't want some anonymous support 'droid determining your security policy for you. If that's what you do want, I suggest you pass through the gateway to shared-hosting hell ("No…we can't install php-redis for you…it's against our support/security/I-don't-know-what-that-is/I-don't-want-to policy…").

I've seen ssh(1) dictionary attacks start within 90 seconds of spinning up a new Linode…before I've made a login account for myself (looking at you Russia & China)…

-- sw

Thanks @tech10 and @stevewi for the responses.
I will look into setting up some firewall soon then I suppose, (not that anything important is stored on the server atm).

One other question I have at the moment though, is I notice my Monthly Network Transfer usage has gone from 22MB to 26MB in the time span of approximately 12 hours. This was measured while I left my linode running, however with none of my applications running during this time at all (note: I simply have 2 python scripts which I made myself, on the machine atm). This suggests that the machine will use roughly 4MBx(2x30days)=240MB/month just in an idle state with none of my own programs doing anything at all.

Is this normal?
Will this be mitigated by setting up a firewall/blocking unused ports?

I am on the shared $5/month plan atm, with the Ubuntu 20.04 LTS, Nanode 1GB: 1 CPU, 25GB Storage, 1GB RAM. I was under the impression that I only had 1GB of out-bound data per month for the first few days I had the plan, because of the name (Nanode 1GB) and because the dashboard showed 1GB used/930 available, but if its really 1TB of data per month as I now think it is, that will be a happy surprise, which means 240MB shouldn't be a big deal if its due to system usage.

Hi,
Outbound transfer is the only transfer counted toward your 1TB of data. In the Linode cloud, you can see inbound transfer as well, both inbound and outbound separated by private and public use, as well as by IPV4 and IPV6. This can help you determine what transfer is being used and where if you ever needed to track it down, though there's other tools that can assist you in such matters on your server to figure out what programs are sending what packets, and on what ports.

Depending on what your scripts are sending or what your programs are running, 4MB in 12 hours may be normal. It's not a bad amount of bandwidth use, and even on most Linode's that have nothing, I'll sometimes notice a few KB of transfer being used, perhaps for time synchronization and any other background tasks that may be on the server running by default. I'd say it's not too much of a concern unless you want to save every bite of bandwidth that you have.

A firewall would block incoming requests to ports you aren't using if you set it up properly, and can even block outbound packets if you want, so a firewall could help you save bandwidth if you set it up this way. If you do, though, you'll have to remember to open inbound and outbound ports for your uses before you can utilize particular servers or services on your Linode.

Blake

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct