Centos 7 Firewall CLI Commands | This post is mostly a reference of cli commands to use on Centos 7 for working with firewall rules.
Cents 7 uses Firewalld instead of iptables. Firewalld is a complete firewall solution available by default on CentOS 7 servers. In this reference will cover how to set up various firewall rules for your server using the
firewall-cmd administrative tool. You can find out more by reading the guide from DigitalOcean.
What are Zones?
firewalld daemon manages groups of rules using entities called “zones”. Zones are basically sets of rules dictating what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. Network interfaces are assigned a zone to dictate the behavior that the firewall should allow.
Turn On Firewalld
Before we can begin to create our firewall rules, we need to actually turn the daemon on. The
systemdunit file is called
firewalld.service. We can start the daemon for this session by typing:
sudo systemctl start firewalld.service
We can verify that the service is running and reachable by typing:
This indicates that our firewall is up and running with the default configuration.
Find your Active Zone
Use this command to find your active zone(s):
It will say either public, dmz, or something else. You should only apply to the zones required.
List All Firewall Zones
You can check which zone you are using with
Opening a Firewall Port
In the case of dmz try:
firewall-cmd --zone=dmz --add-port=2888/tcp --permanent
Otherwise, substitute dmz for your zone, for example, if your zone is public:
firewall-cmd --zone=public --add-port=2888/tcp --permanent
Then remember to reload the firewall for changes to take effect.
but if is a known service, you can use:
firewall-cmd --permanent --zone=public --add-service=http
and then reload the firewall
Again, you can check which zone you are using with
firewall-cmd --list-all and change it with
You will then know what zone to allow a service (or port) on:
firewall-cmd --permanent --zone=<zone> --add-service=http
firewall-cmd --permanent --zone=<zone> --add-port=80/tcp
You can check if the port has actually be opened by running:
firewall-cmd --zone=<zone> --query-port=80/tcp
firewall-cmd --zone=<zone> --query-service=http
Banner image from http://amazeyourlife.com/wp-content/uploads/2016/07/firewall.png – 2/15/2017