Open firewall port on CentOS 7
I am using CentOS 7 and I have to ensure that ports 2888 and 3888 are open.
I read this article but this did not work because on CentOS 7 OS there is no
iptables save command.
Someone told me that the above URL is not valid for CentOS 7. and I should follow this. But this article is not clear to me on exactly what command I need to execute.
I also found
firewall-cmd --zone=public --add-port=2888/tcp
but this does not survive reboots.
So how can I open the ports and make it survive reboots?
Use this command to find your active zone(s):
It will say either public, dmz, or something else. You should only apply to the zones required.
In the case of public try:
firewall-cmd --zone=public --add-port=2888/tcp --permanent
Then remember to reload the firewall for changes to take effect.
Otherwise, substitute public for your zone, for example, if your zone is dmz:
firewall-cmd --zone=dmz --add-port=2888/tcp --permanent
Read more… Read less…
The answer by ganeshragav is correct, but it is also useful to know that you can use:
firewall-cmd --permanent --zone=public --add-port=2888/tcp
but if is a known service, you can use:
firewall-cmd --permanent --zone=public --add-service=http
and then reload the firewall
[ Answer modified to reflect Martin Peter's comment, original answer had
--permanent at end of command line ]
CentOS (RHEL) 7, has changed the firewall to use
firewall-cmd which has a notion of zones which is like a Windows version of Public, Home, and Private networks. You should look here to figure out which one you think you should use. EL7 uses
public by default so that is what my examples below use.
You can check which zone you are using with
firewall-cmd --list-all and change it with
You will then know what zone to allow a service (or port) on:
firewall-cmd --permanent --zone=<zone> --add-service=http
firewall-cmd --permanent --zone=<zone> --add-port=80/tcp
You can check if the port has actually be opened by running:
firewall-cmd --zone=<zone> --query-port=80/tcp
firewall-cmd --zone=<zone> --query-service=http
According to the documentation,
When making changes to the firewall settings in Permanent mode, your selection will only take effect when you reload the firewall or the system restarts.
You can reload the firewall settings with:
Fedora, did it via
sudo iptables -I INPUT -p tcp --dport 3030 -j ACCEPT sudo service iptables save
Seems to work
To view open ports, use the following command.
We use the following to see services whose ports are open.
We use the following to see services whose ports are open and see open ports
To add a service to the firewall, we use the following command, in which case the service will use any port to open in the firewall.
For this service to be permanently open we use the following command.
firewall-cmd —add-service=ntp --permanent
To add a port, use the following command
firewall-cmd --add-port=132/tcp --permanent
To run the firewall must be reloaded using the following command.
While ganeshragav and Sotsir provide correct and directly applicable approaches, it is useful to note that you can add your own services to
/etc/firewalld/services. For inspiration, look at
/usr/lib/firewalld/services/, where firewalld's predefined services are located.
The advantage of this approach is that later you will know why these ports are open, as you've described it in the service file. Also, you can now apply it to any zone without the risk of typos. Furthermore, changes to the service will not need to be applied to all zones separately, but just to the service file.
For example, you can create
<?xml version="1.0" encoding="utf-8"?> <service> <short>FooBar</short> <description> This option allows you to create FooBar connections between your computer and mobile device. You need to have FooBar installed on both sides for this option to be useful. </description> <port protocol="tcp" port="2888"/> <port protocol="tcp" port="3888"/> </service>
(For information about the syntax, do
Once this file is created, you can
firewall-cmd --reload to have it become available and then permanently add it to some zone with
firewall-cmd --permanent --zone=<zone> --add-service=foobar
firewall-cmd --reload to make it active right away.