For RHEL/CentOS Servers
- Manage FirewallD service.
// start firewalld service and enable loading on boot
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld
// stop firewalld service and disable loading on boot
$ sudo systemctl stop firewalld
$ sudo systemctl disable firewalld
// list currently open ports
$ sudo firewall-cmd --list-ports
// list currently available zones
$ sudo firewall-cmd --get-zones
// list currently available services
$ sudo firewall-cmd --get-services
// list zone containing a specific network interface
$ sudo firewall-cmd --get-zone-of-interface=eth0
// open a port temporily (applies immediately, but available only for current session)
$ sudo firewall-cmd --add-port 22000/tcp
// open a port permanently (not available for current session, will apply only after a restart of firewalld)
$ sudo firewall-cmd --add-port 22000/tcp --permanent
// open a port range
$ sudo firewall-cmd --add-port 22000-22100/tcp --permanent
// manage traffic based on predefined rules for default/user-created network services
$ sudo firewall-cmd --zone=public --add-service=http --permanent
// restart firewalld to apply permanent changes
$ sudo systemctl restart firewalld
For Ubuntu/Debian Servers
- Manage UFW (Uncomplicated Firewall) service.
// disable firewall
$ sudo ufw disable
// enable firewall
$ sudo ufw enable
// open a port
$ sudo ufw allow 22000/tcp
// open a port range
$ sudo ufw allow 22000:22100/tcp
For On-Cloud Servers
- In general, OS firewalls are not active in cloud servers. Instead, the firewall is managed by the vendor and you will have to use the Cloud admin panel to open ports via network security settings.
- AWS EC2 Users: Open Firewall Ports of AWS EC2 Instances
For On-Prem Servers
- The firewall implementations in on-prem servers usually have different variations and the best way to open traffic through such firewalls is to make a formal request to your IT Help Desk or Sys Admins specifying which host IP and port ranges you want to open through the firewall.
- One thing to note would be, even in the same network, there can be multiple subnets and the subnet that your server belongs to might not be visible to other subnets. Be mindful of such cases and work through them with your Sys Admins.
❔ Relationship between iptables, nftables, firewalld, and ufw
- All above tools are capable of managing firewall rules in Linux servers.
- The access to and from the network stack at Linux kernel module level is controlled by
Netfilter and the primary CLI tool for managing
Netfilter hooks was the
iptables ruleset, which means you can write any complex firewall rule with
iptables for any large scale network.
nftables is introduced in 2014 as a replacement to
iptables, however both tools are rich in advanced features.
ufw are user-friendly higher-level
Netfilter interpreters, which are primarily designed for single machine use cases.
❔ FirewallD Configuration Sets
- FirewallD works in two modes - either with Runtime or Permanent config sets.
- Permanent configs are defined using
--permanent flag, which will make a firewall rule apply soon after a reboot of FirewallD service.
- Firewall rules without
--permanent flag are taken as Runtime configs and will soon be applied to the session. However, after a reboot of FirewallD service, these configs will be lost.
|✅ Tested OS's
||: RHEL 7+, CentOS 7+, Ubuntu 18.04+, Debian 8+
|✅ Tested Gear
||: Cloud (AWS EC2), On-Prem (Bare Metal)