By default, the RockyLinux/AlmaLinux/CentOS distro provides two firewalls, iptables and firewalld. This article will explain how to open and close a port using Firewalld on the distro. If you have opened and closed a port using Firewalld, you don’t need to open and close a port in iptables.
Problem
How to open and close a port on the RockyLinux server?
Solution
A. Check the Firewalldstatus
By default, the Firewalld package is installed automatically using the command:
systemctl status firewalld
From the picture above, you can see that the firewall on the server is already running. If the Firewalld is not already running, use the command below:
systemctl enable --now firewalld
But if on your server there is no firewall package, you can install it using the command below:
yum install -y firewalld
B. Check the zones
Firewalld uses zones and services, compared to iptables that use chains and rules. Zones are a collection of rules that have been set, on what network connection should be permitted based on the level of confidence in the network connected to the system. We can determine the name of the network interface and network source into zones. To see the zones in firewalld and which zone is the default, use the command below:
firewall-cmd --get-zones
firewall-cmd --get-default-zone
From the picture above there are 9 zones and the explanation can be seen in the picture below which is sorted from the most trusted
To view all settings for all zones, use the following command:
firewall-cmd --list-all-zones
But, if you want to view all settings in a specific zone, for example, a public zone, use the following command:
firewall-cmd --zone=public --list-ports
C. Open the Port
Now, if you want to open port 43210 with TCP protocol, use the command below:
firewall-cmd --add-port=43210/tcp --permanent
firewall-cmd --reload
Use the command below to see the ports that have been opened:
firewall-cmd --list-ports
D. Open the port from a certain IP
If you want to open a port from a certain IP, for example, you only allow IP 192.168.56.100 to access port 22 on this server, then use the command below:
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=192.168.56.100 port port=22 protocol=tcp accept'
firewall-cmd --reload
firewall-cmd --list-rich-rules
If you want to reject a host with IP 192.168.56.100 to access port 22, use the command below:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.56.100" port port="22" protocol="tcp" reject'
firewall-cmd --reload
firewall-cmd --list-rich-rules
E. Close the port from a certain IP
If you want to close a port from a certain IP, for example, you block a host with IP 192.168.56.100 to access port 22 on this server, then use the command below:
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.56.100" port port="22" protocol="tcp" accept'
firewall-cmd --reload
firewall-cmd --list-rich-rules
F. Close the port
Use the command below to close the newly opened port 43210:
firewall-cmd --remove-port=43210/tcp --permanent
firewall-cmd --reload
G. Open the service
Apart from using ports, Firewalld can also open and close services on the server. To see the services that have been opened, type the command below:
firewall-cmd --list-services
You can see in the picture above, that the distro only opens 3 services. If you want to open the SMTP service, use the command below:
firewall-cmd --add-service=smtp --permanent
firewall-cmd --reload
H. Close the service
To delete the SMTP service in Firewalld, use the command below:
firewall-cmd --remove-service=smtp --permanent
firewall-cmd --reload
Note
If you use the OpenSUSE distro, you can use the above commands to open and close a port like in the image below:
References
