375

I am using CentOS 7 and I have to ensure that ports 2888 and 3888 are open.

I read this article but this did not work because on CentOS 7 OS there is no iptables save command.

Someone told me that the above URL is not valid for CentOS 7. and I should follow this. But this article is not clear to me on exactly what command I need to execute.

I also found 

firewall-cmd --zone=public --add-port=2888/tcp

but this does not survive reboots.

So how can I open the ports and make it survive reboots?

Jens
  • 69,818
  • 15
  • 125
  • 179
Knows Not Much
  • 30,395
  • 60
  • 197
  • 373
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Dec 20 '17 at 19:16

12 Answers12

724

Use this command to find your active zone(s):

firewall-cmd --get-active-zones

It will say either public, dmz, or something else. You should only apply to the zones required.

In the case of public try:

firewall-cmd --zone=public --add-port=2888/tcp --permanent

Then remember to reload the firewall for changes to take effect.

firewall-cmd --reload

Otherwise, substitute public for your zone, for example, if your zone is dmz:

firewall-cmd --zone=dmz --add-port=2888/tcp --permanent
MonoThreaded
  • 11,429
  • 12
  • 71
  • 102
ganeshragav
  • 8,695
  • 1
  • 16
  • 13
  • 31
    I used this command but it didn't work for me, what did, was changing `--zone=dmz` to `--zone=public` – Tom Hall Sep 25 '14 at 06:04
  • 2
    Yes it is useful to use public too. Please check below command by Sotsir for correction too. – ganeshragav Sep 30 '14 at 22:33
  • 23
    Neither of the top two answers here actually explain what `--permanent` does, they just say to do it. Both would be more complete and useful answers if it was explained how the answer works. From one of OP's resources: _"The rules can be made permanent by adding the --permanent option[...]. If the rules are not made permanent then they need to be applied every time after receiving the start, restart or reload message from firewalld using D-BUS."_ – dKen Mar 03 '15 at 10:25
  • 9
    Don't just blindly enable ports in all zones until you hit the right one, please. Use `firewall-cmd --get-active-zones` to find out what zone is used on your system. Also, man firewall-cmd. – basic6 Apr 14 '15 at 21:27
  • Do you share version of OS you were using ? and provide output of below command: which firewall-cmd – ganeshragav Jun 29 '15 at 04:17
  • @TomHall See [my answer](http://stackoverflow.com/a/26681238/616644) to explain why that is true. – Rick Smith Nov 13 '15 at 19:52
  • 1
    In reading [fedora documentation](https://fedoraproject.org/wiki/FirewallD#Permanent_zone_handling) it states `The --permanent option needs to be the first option for all permanent calls`. I didn't get any error using the above, but I'm not sure if this may cause issues to someone else. – Marc Oct 19 '16 at 23:21
  • check active zone first... `firewall-cmd --get-active-zones`, if is `public`: `firewall-cmd --permanent --zone=public --add-port=2888/tcp` or something else. – WesternGun Dec 15 '17 at 09:09
  • i am using ssh for accesing vpn and want to open port it gives firewallD is not running – Rahul Tathod Sep 22 '18 at 06:16
  • --get -active-zones is useful: simply using '--zone=public' wasn't working for me on a CentOS 7.9 server with Plesk installed. Changing to the zone found by 'get -active-zones', in this case 'plesk', did the trick. – Arno Visser Nov 09 '22 at 17:12
121

The answer by ganeshragav is correct, but it is also useful to know that you can use:

firewall-cmd --permanent --zone=public --add-port=2888/tcp

but if is a known service, you can use:

firewall-cmd --permanent --zone=public --add-service=http

and then reload the firewall

firewall-cmd --reload

[ Answer modified to reflect Martin Peter's comment, original answer had --permanent at end of command line ]

Community
  • 1
  • 1
Sotsir
  • 1,319
  • 1
  • 7
  • 5
  • 9
    I wouldn't rely on using the `--permanent` option at the end of the statement. The documentation explicitly points out, that it should be the first option. – Martin Peter Oct 20 '14 at 18:31
  • 1
    @MartinPeter `man firewall-cmd` gives no such indication on my machine (Fedora 21). – Jonathon Reinhart Jun 02 '15 at 22:24
  • @JonathonReinhart I'm referring to [Fedora's FirewallD Wiki](https://fedoraproject.org/wiki/FirewallD#Permanent_zone_handling) stating: `The --permanent option needs to be the first option for all permanent calls.` – Martin Peter Jun 03 '15 at 13:27
  • it gives me firewallD not running – Rahul Tathod Sep 22 '18 at 06:16
51

CentOS (RHEL) 7, has changed the firewall to use firewall-cmd which has a notion of zones which is like a Windows version of Public, Home, and Private networks. You should look here to figure out which one you think you should use. EL7 uses public by default so that is what my examples below use.

You can check which zone you are using with firewall-cmd --list-all and change it with firewall-cmd --set-default-zone=<zone>.

You will then know what zone to allow a service (or port) on:

firewall-cmd --permanent --zone=<zone> --add-service=http

firewall-cmd --permanent --zone=<zone> --add-port=80/tcp

You can check if the port has actually be opened by running:

firewall-cmd --zone=<zone> --query-port=80/tcp

firewall-cmd --zone=<zone> --query-service=http

According to the documentation,

When making changes to the firewall settings in Permanent mode, your selection will only take effect when you reload the firewall or the system restarts.

You can reload the firewall settings with: firewall-cmd --reload.

Rick Smith
  • 9,031
  • 15
  • 81
  • 85
32

Fedora, did it via iptables

sudo iptables -I INPUT -p tcp --dport 3030 -j ACCEPT
sudo service iptables save

Seems to work

Shashank Agrawal
  • 25,161
  • 11
  • 89
  • 121
Joviano Dias
  • 1,043
  • 10
  • 13
29

To view open ports, use the following command.

firewall-cmd --list-ports

We use the following to see services whose ports are open.

firewall-cmd --list-services

We use the following to see services whose ports are open and see open ports 

firewall-cmd --list-all

To add a service to the firewall, we use the following command, in which case the service will use any port to open in the firewall.

firewall-cmd --add-services=ntp

For this service to be permanently open we use the following command.

firewall-cmd —add-service=ntp --permanent

To add a port, use the following command

firewall-cmd --add-port=132/tcp  --permanent

To run the firewall must be reloaded using the following command.

firewall-cmd --reload

Ya Ali

Hasan Barary
  • 812
  • 8
  • 8
15

While ganeshragav and Sotsir provide correct and directly applicable approaches, it is useful to note that you can add your own services to /etc/firewalld/services. For inspiration, look at /usr/lib/firewalld/services/, where firewalld's predefined services are located.

The advantage of this approach is that later you will know why these ports are open, as you've described it in the service file. Also, you can now apply it to any zone without the risk of typos. Furthermore, changes to the service will not need to be applied to all zones separately, but just to the service file.

For example, you can create /etc/firewalld/services/foobar.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FooBar</short>
  <description>
    This option allows you to create FooBar connections between
    your computer and mobile device. You need to have FooBar
    installed on both sides for this option to be useful.
  </description>
  <port protocol="tcp" port="2888"/>
  <port protocol="tcp" port="3888"/>
</service>

(For information about the syntax, do man firewalld.service.)

Once this file is created, you can firewall-cmd --reload to have it become available and then permanently add it to some zone with

firewall-cmd --permanent --zone=<zone> --add-service=foobar

followed with firewall-cmd --reload to make it active right away.

Community
  • 1
  • 1
equaeghe
  • 1,644
  • 18
  • 37
14

To view open ports, use the following command:

firewall-cmd --list-ports

We use the following to see services whose ports are open:

firewall-cmd --list-services

We use the following to see services whose ports are open and see open ports:

firewall-cmd --list-all

To add a service to the firewall, we use the following command, in which case the service will use any port to open in the firewall:

firewall-cmd --add-services=ntp

For this service to be permanently open we use the following command:

firewall-cmd -add-service=ntp --permanent

To add a port, use the following command:

firewall-cmd --add-port=132/tcp  --permanent
Gryu
  • 2,102
  • 2
  • 16
  • 29
Hasan Barary
  • 812
  • 8
  • 8
5

The top answers here work, but I found something more elegant in Michael Hampton's answer to a related question. The "new" (firewalld-0.3.9-11+) --runtime-to-permanent option to firewall-cmd lets you create runtime rules and test them out before making them permanent:

$ firewall-cmd --zone=<zone> --add-port=2888/tcp
<Test it out>
$ firewall-cmd --runtime-to-permanent

Or to revert the runtime-only changes:

$ firewall-cmd --reload

Also see Antony Nguyen's comment. Apparently firewall-cmd --reload may not work properly in some cases where rules have been removed. In that case, he suggests restarting the firewalld service:

$ systemctl restart firewalld
Neal Gokli
  • 475
  • 7
  • 18
3

If you have multiple ports to allow in Centos 7 FIrewalld then we can use the following command.

#firewall-cmd --add-port={port number/tcp,port number/tcp} --permanent

#firewall-cmd --reload


And check the Port opened or not after reloading the firewall.


#firewall-cmd --list-port


For other configuration [Linuxwindo.com][1]
Vinay Patil
  • 31
  • 2
2

Hello in Centos 7 firewall-cmd. Yes correct if you use firewall-cmd --zone=public --add-port=2888/tcp but if you reload firewal firewall-cmd --reload

your config not will be save

you need to add key

firewall-cmd --permanent --zone=public --add-port=2888/tcp

Inv0k-er
  • 73
  • 1
  • 6
1

If you are familiar with iptables service like in centos 6 or earlier, you can still use iptables service by manual installation:

step 1 => install epel repo

yum install epel-release

step 2 => install iptables service

yum install iptables-services

step 3 => stop firewalld service

systemctl stop firewalld

step 4 => disable firewalld service on startup

systemctl disable firewalld

step 5 => start iptables service

systemctl start iptables

step 6 => enable iptables on startup

systemctl enable iptables

finally you're now can editing your iptables config at /etc/sysconfig/iptables.

So -> edit rule -> reload/restart.

do like older centos with same function like firewalld.

dek.tiram
  • 54
  • 3
0

Firewalld is a bit non-intuitive for the iptables veteran. For those who prefer an iptables-driven firewall with iptables-like syntax in an easy configurable tree, try replacing firewalld with fwtree: https://www.linuxglobal.com/fwtree-flexible-linux-tree-based-firewall/ and then do the following:

 echo '-p tcp --dport 80 -m conntrack --cstate NEW -j ACCEPT' > /etc/fwtree.d/filter/INPUT/80-allow.rule
 systemctl reload fwtree
Eric Wheeler
  • 1
  • 1