In this article, I will take you through Popular firewalld Examples to open a port on RedHat/CentOS 7. firewall-cmd is the command line tool used to manage firewalld rules. It allows port and services to be opened during runtime and also allows it to be persistent after reboot. Both the options are extensively used in Production environment in many of the Organizations as per their requirement.

Here, we will go through number of different methods which can be used to allow ports through firewall. You can check 10 Useful Firewall CMD Examples on RedHat/CentOS 7 to know more about firewalld services.

Firewalld Examples to Open a Port

Top 10 Ping Command Examples in Linux

1. List All Firewall Zones

You can check all the zones and its associated rules by using firewall-cmd --list-all-zones command as shown below. Here you can see a list of all system defined zones. If you notice the output carefully you can see a default public zone showing active. If you change the zone then that zone will show active.

[root@localhost ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client http https ssh
ports: 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

2. Check List of Active Ports

To check all the active ports you need to use firewall-cmd --list-ports command as shown below. It will show all the ports currently allowed through firewall.

[root@localhost ~]# firewall-cmd --list-ports
6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp

--list-ports : to list all the ports available for a zone. If zone is not mentioned, it will show for default zone.

3. Allow Port 7000 Permanently on Public Zone

If you want to allow Port 7000 permanently on public zone, then you need to use firewall-cmd --zone=public --permanent --add-port=7000/tcp command as shown below.

[root@localhost ~]# firewall-cmd --zone=public --permanent --add-port=7000/tcp
success

--zone : specify zone

--permanent : this option will allow the rules to be persistent even after reboot

--add-port : to allow a port for the mentioned zone. If no zone specified, then it will allow for default zone.

4. Allow Range of Port 6990-7000 Permanently on Public Zone

You can also open a range of port from 6990-7000 through the firewall using below command.

[root@localhost ~]# firewall-cmd --zone=public --permanent --add-port=6990-7000/tcp
success

5. Reflect Changes in Firewalld for Recently Added Port

Simply after adding the port in firewall rules you won’t see in the list. You need to restart your firewalld service as well to reflect the changes in the list of ports.

[root@localhost ~]# firewall-cmd --list-ports
6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp

Now you need to restart firewalld services using systemctl restart firewalld command.

[root@localhost ~]# systemctl restart firewalld

After restarting the service you can again check the list of ports using firewall-cmd --list-ports command.

[root@localhost ~]# firewall-cmd --list-ports
6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp 7000/tcp 6990-7000/tcp

6. Enable SMTP Port through Service

Sometimes instead of allowing SMTP port through firewall you can also add service name and allow SMTP  using below command.

[root@localhost ~]# firewall-cmd --zone=public --add-service=smtp
success

--add-service : to add a specific service

7. Remove MySQL Port from firewalld

If you want to temporarily remove mysql port access from firewall then you can simply run firewall-cmd --remove-port=3306/tcp command to achieve that. Offcourse this change will be a runtime change and will get reset after a reboot.

[root@localhost ~]# firewall-cmd --remove-port=3306/tcp
success

--remove-port : to remove a port

8. Remove MySQL Port Permanently from firewalld

If you want to permanently remove mysql port from firewall then you need to use --permanent option with --remove-port option to implement that functionality.

[root@localhost ~]# firewall-cmd --permanent --remove-port=3306/tcp
success

9. Enable Port forwarding through firewalld

You can also enable port forwarding through your firewall by using --add-forward-port option as shown below. Here we are telling to forward all the incoming requests from Port 8080 to Port 7000.

[root@localhost ~]# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=7000
success

--add-forward-port : to specify port number where request needs to forward

10. Enable Port Forwarding to Another Host

If you are planning to forward incoming requests from port 8080 to another host port then you need to mention the remote IP address as well along with the destination port as mentioned below.

[root@localhost ~]# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=7000:toaddr=192.168.0.101
success

11. Allow Multiple Ports through Firewalld

You can also allow multiple ports through firewall in one single command as shown below.

[root@localhost ~]# firewall-cmd --add-port={3306/tcp,8000/tcp,400/tcp}
success

12. Add Multiple Ports permanently through Firewalld

If you want to permanently allow multiple ports through firewall, then you need to use --permanent option as shown below.

[root@localhost ~]# firewall-cmd --permanent --add-port={3306/tcp,8000/tcp,400/tcp}
success

13. Check if Port is already Added

You can also check if some port is already added in firewalld list or not using --query-port option as shown below. If it is added you will see yes in response.

[root@localhost ~]# firewall-cmd --query-port=7000/tcp
yes

If any port is not added, then it will show no in response.

[root@localhost ~]# firewall-cmd --query-port=9000/tcp
no

 

 

How to install or enable ssh on Ubuntu(18.04/17.04/16.04)

How to Change Date/Time in RedHat/CentOS 7 with Best Example

Best Way to Install all Dependent Packages without Internet on RedHat/CentOS 7

How to create a Network Bonding/Teaming in RedHat/CentOS 7

16 Zip Command Examples to Compress Folders and Files in Unix/Linux