firewall-cmd
firewall-cmd is used to manage firewall (iptables). It is used by default on latest version of CentOS, RHEL.
Check firewall status
To see if firewall is running of not use
firewall-cmd --state
or
systemctl status firewalld
To disable firewalls
systemctl stop firewalld systemctl disable firewalld
Open a port in firewall
To allow HTTP and HTTPS traffic, run
firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=ssh firewall-cmd --permanent --zone=public --add-port=25/tcp firewall-cmd --reload
Permanent option make the changes permanant. You need to reload firewall after using –permanent. If you want to open a port in current session and make it permanant, run the command with and with out –permanent.
Open a port range in firewall
firewall-cmd --zone=public --add-port=22-65535/tcp
Close a port in firewall
To close a port, you can use command same as you open with –add replaced with –remove.
firewall-cmd --permanent --zone=public --remove-service http firewall-cmd --permanent --zone=public --remove-port 25/tcp
Whitelist an IP address
firewall-cmd --zone=trusted --add-source=IP_ADDR_HERE
To remove an IP, use
firewall-cmd --zone=trusted --remove-source=IP_ADDR_HERE
Firewalld Zones
Zone is a collection of rules that can be applied to a specific interface. Some useful commands are
firewall-cmd --get-active-zones firewall-cmd --get-default-zone firewall-cmd --list-all-zones firewall-cmd --info-zone=public
Zones are stored in /usr/lib/firewalld/zones
Services
Services are pre-made rules for a specific application. Some useful commands are
firewall-cmd --get-services firewall-cmd --info-service SERVICE_NAME_HERE
Services are stoed in /usr/lib/firewalld/services/ or /etc/firewalld/services/.
Save run time configuration into permanant
firewall-cmd --runtime-to-permanent