firewall-cmd
firewall-cmd is used to manage firewall (iptables). It is used by default on latest version of CentOS, RHEL.
Check firewall status
To see if firewall is running of not use
1 |
firewall-cmd --state |
or
1 |
systemctl status firewalld |
To disable firewalls
1 2 |
systemctl stop firewalld systemctl disable firewalld |
Open a port in firewall
To allow HTTP and HTTPS traffic, run
1 2 3 4 5 |
firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=ssh firewall-cmd --permanent --zone=public --add-port=25/tcp firewall-cmd --reload |
Permanent option make the changes permanant. You need to reload firewall after using –permanent. If you want to open a port in current session and make it permanant, run the command with and with out –permanent.
Open a port range in firewall
1 |
firewall-cmd --zone=public --add-port=22-65535/tcp |
Close a port in firewall
To close a port, you can use command same as you open with –add replaced with –remove.
1 2 |
firewall-cmd --permanent --zone=public --remove-service http firewall-cmd --permanent --zone=public --remove-port 25/tcp |
Whitelist an IP address
1 |
firewall-cmd --zone=trusted --add-source=IP_ADDR_HERE |
To remove an IP, use
1 |
firewall-cmd --zone=trusted --remove-source=IP_ADDR_HERE |
Firewalld Zones
Zone is a collection of rules that can be applied to a specific interface. Some useful commands are
1 2 3 4 |
firewall-cmd --get-active-zones firewall-cmd --get-default-zone firewall-cmd --list-all-zones firewall-cmd --info-zone=public |
Zones are stored in /usr/lib/firewalld/zones
Services
Services are pre-made rules for a specific application. Some useful commands are
1 2 |
firewall-cmd --get-services firewall-cmd --info-service SERVICE_NAME_HERE |
Services are stoed in /usr/lib/firewalld/services/ or /etc/firewalld/services/.
Save run time configuration into permanant
1 |
firewall-cmd --runtime-to-permanent |