Open firewall port on CentOS 7 [closed]

359
votes

I am using CentOS 7 and I have to ensure that ports 2888 and 3888 are open.

I read this article but this did not work because on CentOS 7 OS there is no iptables save command.

Someone told me that the above URL is not valid for CentOS 7. and I should follow this. But this article is not clear to me on exactly what command I need to execute.

I also found 

firewall-cmd --zone=public --add-port=2888/tcp

but this does not survive reboots.

So how can I open the ports and make it survive reboots?

12
centosportfirewall
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask.jww

12 Answers

690
votes

Use this command to find your active zone(s):

firewall-cmd --get-active-zones

It will say either public, dmz, or something else. You should only apply to the zones required.

In the case of public try:

firewall-cmd --zone=public --add-port=2888/tcp --permanent

Then remember to reload the firewall for changes to take effect.

firewall-cmd --reload

Otherwise, substitute public for your zone, for example, if your zone is dmz:

firewall-cmd --zone=dmz --add-port=2888/tcp --permanent
116
votes

The answer by ganeshragav is correct, but it is also useful to know that you can use:

firewall-cmd --permanent --zone=public --add-port=2888/tcp

but if is a known service, you can use:

firewall-cmd --permanent --zone=public --add-service=http

and then reload the firewall

firewall-cmd --reload

[ Answer modified to reflect Martin Peter's comment, original answer had --permanent at end of command line ]

50
votes

CentOS (RHEL) 7, has changed the firewall to use firewall-cmd which has a notion of zones which is like a Windows version of Public, Home, and Private networks. You should look here to figure out which one you think you should use. EL7 uses public by default so that is what my examples below use.

You can check which zone you are using with firewall-cmd --list-all and change it with firewall-cmd --set-default-zone=<zone>.

You will then know what zone to allow a service (or port) on:

firewall-cmd --permanent --zone=<zone> --add-service=http

firewall-cmd --permanent --zone=<zone> --add-port=80/tcp

You can check if the port has actually be opened by running:

firewall-cmd --zone=<zone> --query-port=80/tcp

firewall-cmd --zone=<zone> --query-service=http

According to the documentation,

When making changes to the firewall settings in Permanent mode, your selection will only take effect when you reload the firewall or the system restarts.

You can reload the firewall settings with: firewall-cmd --reload.

28
votes

Fedora, did it via iptables

sudo iptables -I INPUT -p tcp --dport 3030 -j ACCEPT
sudo service iptables save

Seems to work

26
votes

To view open ports, use the following command.

firewall-cmd --list-ports

We use the following to see services whose ports are open.

firewall-cmd --list-services

We use the following to see services whose ports are open and see open ports 

firewall-cmd --list-all

To add a service to the firewall, we use the following command, in which case the service will use any port to open in the firewall.

firewall-cmd --add-services=ntp

For this service to be permanently open we use the following command.

firewall-cmd —add-service=ntp --permanent

To add a port, use the following command

firewall-cmd --add-port=132/tcp  --permanent

To run the firewall must be reloaded using the following command.

firewall-cmd --reload

Ya Ali

14
votes

While ganeshragav and Sotsir provide correct and directly applicable approaches, it is useful to note that you can add your own services to /etc/firewalld/services. For inspiration, look at /usr/lib/firewalld/services/, where firewalld's predefined services are located.

The advantage of this approach is that later you will know why these ports are open, as you've described it in the service file. Also, you can now apply it to any zone without the risk of typos. Furthermore, changes to the service will not need to be applied to all zones separately, but just to the service file.

For example, you can create /etc/firewalld/services/foobar.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FooBar</short>
  <description>
    This option allows you to create FooBar connections between
    your computer and mobile device. You need to have FooBar
    installed on both sides for this option to be useful.
  </description>
  <port protocol="tcp" port="2888"/>
  <port protocol="tcp" port="3888"/>
</service>

(For information about the syntax, do man firewalld.service.)

Once this file is created, you can firewall-cmd --reload to have it become available and then permanently add it to some zone with

firewall-cmd --permanent --zone=<zone> --add-service=foobar

followed with firewall-cmd --reload to make it active right away.

8
votes

To view open ports, use the following command:

firewall-cmd --list-ports

We use the following to see services whose ports are open:

firewall-cmd --list-services

We use the following to see services whose ports are open and see open ports:

firewall-cmd --list-all

To add a service to the firewall, we use the following command, in which case the service will use any port to open in the firewall:

firewall-cmd --add-services=ntp

For this service to be permanently open we use the following command:

firewall-cmd -add-service=ntp --permanent

To add a port, use the following command:

firewall-cmd --add-port=132/tcp  --permanent
4
votes

The top answers here work, but I found something more elegant in Michael Hampton's answer to a related question. The "new" (firewalld-0.3.9-11+) --runtime-to-permanent option to firewall-cmd lets you create runtime rules and test them out before making them permanent:

$ firewall-cmd --zone=<zone> --add-port=2888/tcp
<Test it out>
$ firewall-cmd --runtime-to-permanent

Or to revert the runtime-only changes:

$ firewall-cmd --reload

Also see Antony Nguyen's comment. Apparently firewall-cmd --reload may not work properly in some cases where rules have been removed. In that case, he suggests restarting the firewalld service:

$ systemctl restart firewalld
2
votes

If you have multiple ports to allow in Centos 7 FIrewalld then we can use the following command.

#firewall-cmd --add-port={port number/tcp,port number/tcp} --permanent

#firewall-cmd --reload


And check the Port opened or not after reloading the firewall.


#firewall-cmd --list-port


For other configuration [Linuxwindo.com][1]
0
votes

If you are familiar with iptables service like in centos 6 or earlier, you can still use iptables service by manual installation:

step 1 => install epel repo

yum install epel-release

step 2 => install iptables service

yum install iptables-services

step 3 => stop firewalld service

systemctl stop firewalld

step 4 => disable firewalld service on startup

systemctl disable firewalld

step 5 => start iptables service

systemctl start iptables

step 6 => enable iptables on startup

systemctl enable iptables

finally you're now can editing your iptables config at /etc/sysconfig/iptables.

So -> edit rule -> reload/restart.

do like older centos with same function like firewalld.

0
votes

Firewalld is a bit non-intuitive for the iptables veteran. For those who prefer an iptables-driven firewall with iptables-like syntax in an easy configurable tree, try replacing firewalld with fwtree: https://www.linuxglobal.com/fwtree-flexible-linux-tree-based-firewall/ and then do the following:

 echo '-p tcp --dport 80 -m conntrack --cstate NEW -j ACCEPT' > /etc/fwtree.d/filter/INPUT/80-allow.rule
 systemctl reload fwtree
0
votes

Hello in Centos 7 firewall-cmd. Yes correct if you use firewall-cmd --zone=public --add-port=2888/tcp but if you reload firewal firewall-cmd --reload

your config not will be save

you need to add key

firewall-cmd --permanent --zone=public --add-port=2888/tcp