Table of Contents
In this article, I will take you through Popular firewalld Examples to open a port on RedHat/CentOS 7. firewall-cmd is the command line tool used to manage firewalld rules. It allows port and services to be opened during runtime and also allows it to be persistent after reboot. Both the options are extensively used in Production environment in many of the Organizations as per their requirement.
Here, we will go through number of different methods which can be used to allow ports through firewall. You can check 10 Useful Firewall CMD Examples on RedHat/CentOS 7 to know more about firewalld services.
Firewalld Examples to Open a Port
Top 10 Ping Command Examples in Linux
1. List All Firewall Zones
You can check all the zones and its associated rules by using firewall-cmd --list-all-zones
command as shown below. Here you can see a list of all system defined zones. If you notice the output carefully you can see a default public zone showing active. If you change the zone then that zone will show active.
[root@localhost ~]# firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: default icmp-block-inversion: no interfaces: enp0s3 sources: services: dhcpv6-client http https ssh ports: 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
2. Check List of Active Ports
To check all the active ports you need to use firewall-cmd --list-ports
command as shown below. It will show all the ports currently allowed through firewall.
[root@localhost ~]# firewall-cmd --list-ports 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp
--list-ports :
to list all the ports available for a zone. If zone is not mentioned, it will show for default zone.
3. Allow Port 7000 Permanently on Public Zone
If you want to allow Port 7000 permanently on public zone, then you need to use firewall-cmd --zone=public --permanent --add-port=7000/tcp
command as shown below.
[root@localhost ~]# firewall-cmd --zone=public --permanent --add-port=7000/tcp success
--zone :
specify zone
--permanent :
this option will allow the rules to be persistent even after reboot
--add-port :
to allow a port for the mentioned zone. If no zone specified, then it will allow for default zone.
4. Allow Range of Port 6990-7000 Permanently on Public Zone
You can also open a range of port from 6990-7000 through the firewall using below command.
[root@localhost ~]# firewall-cmd --zone=public --permanent --add-port=6990-7000/tcp success
5. Reflect Changes in Firewalld for Recently Added Port
Simply after adding the port in firewall rules you won't see in the list. You need to restart your firewalld service as well to reflect the changes in the list of ports.
[root@localhost ~]# firewall-cmd --list-ports 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp
Now you need to restart firewalld services using systemctl restart firewalld
command.
[root@localhost ~]# systemctl restart firewalld
After restarting the service you can again check the list of ports using firewall-cmd --list-ports
command.
[root@localhost ~]# firewall-cmd --list-ports 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp 7000/tcp 6990-7000/tcp
6. Enable SMTP Port through Service
Sometimes instead of allowing SMTP port through firewall you can also add service name and allow SMTP using below command.
[root@localhost ~]# firewall-cmd --zone=public --add-service=smtp success
--add-service :
to add a specific service
7. Remove MySQL Port from firewalld
If you want to temporarily remove mysql port access from firewall then you can simply run firewall-cmd --remove-port=3306/tcp
command to achieve that. Offcourse this change will be a runtime change and will get reset after a reboot.
[root@localhost ~]# firewall-cmd --remove-port=3306/tcp success
--remove-port :
to remove a port
8. Remove MySQL Port Permanently from firewalld
If you want to permanently remove mysql port from firewall then you need to use --permanent
option with --remove-port
option to implement that functionality.
[root@localhost ~]# firewall-cmd --permanent --remove-port=3306/tcp success
9. Enable Port forwarding through firewalld
You can also enable port forwarding through your firewall by using --add-forward-port
option as shown below. Here we are telling to forward all the incoming requests from Port 8080 to Port 7000.
[root@localhost ~]# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=7000 success
--add-forward-port :
to specify port number where request needs to forward
10. Enable Port Forwarding to Another Host
If you are planning to forward incoming requests from port 8080 to another host port then you need to mention the remote IP address as well along with the destination port as mentioned below.
[root@localhost ~]# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=7000:toaddr=192.168.0.101 success
11. Allow Multiple Ports through Firewalld
You can also allow multiple ports through firewall in one single command as shown below.
[root@localhost ~]# firewall-cmd --add-port={3306/tcp,8000/tcp,400/tcp} success
12. Add Multiple Ports permanently through Firewalld
If you want to permanently allow multiple ports through firewall, then you need to use --permanent
option as shown below.
[root@localhost ~]# firewall-cmd --permanent --add-port={3306/tcp,8000/tcp,400/tcp} success
13. Check if Port is already Added
You can also check if some port is already added in firewalld list or not using --query-port
option as shown below. If it is added you will see yes
in response.
[root@localhost ~]# firewall-cmd --query-port=7000/tcp yes
If any port is not added, then it will show no
in response.
[root@localhost ~]# firewall-cmd --query-port=9000/tcp no
How to install or enable ssh on Ubuntu(18.04/17.04/16.04)
How to Change Date/Time in RedHat/CentOS 7 with Best Example
Best Way to Install all Dependent Packages without Internet on RedHat/CentOS 7
How to create a Network Bonding/Teaming in RedHat/CentOS 7
16 Zip Command Examples to Compress Folders and Files in Unix/Linux