Linux – How to know the ephemeral port for a service

As for ephemeral ports:

The Internet Assigned Numbers Authority (IANA) suggests the range 49152 to 65535 (2¹⁵+2¹⁴ to 2¹⁶−1) for dynamic or private ports. Many Linux kernels use the port range 32768 to 61000

Looking at the destination on the TCP/IP tuple as in the example you ask:

udp        0      0 192.168.1.25:41136      61.216.153.106:123

You can see it is the current machine using an NTP service UDP/123 on a remote server.

Or else, it is your machine doing an NTP request to an NTP server in China.

Actually, all those 4 lines are connections to NTP servers in China.

Usually, with the majority of protocols, when the known port service is on your side (first), you usually are the server receiving the connection, and the ephemeral port is on the right side; when it is the contrary, often it is your server that is using a remote service.

(Is your server in China? If not I would worry about possible malware)

You can also take the out -n, for resolving IP addresses/DNS and service names, however be aware that it introduces a noticeable lag in a machine/server with many connections (and/or with a slow DNS service). To have a feel of the difference try, I adapted your original netstat output for a possible output without -n:

$netstat -a | grep ESTABLISHED
udp        0      0 mylinux:41136      vns1.hinet.net:ntp        ESTABLISHED
udp        0      0 mylinux:59141      DNS1.SYNET.EDU.CN:ntp     ESTABLISHED
udp        0      0 mylinux:53680      rdns1.alidns.com:ntp      ESTABLISHED
udp        0      0 mylinux:34255      ns1.htudns.com:ntp        ESTABLISHED