Open firewall port on CentOS 7


I am using CentOS 7 and I have to ensure that ports 2888 and 3888 are open.

I read this article but this did not work because on CentOS 7 OS there is no iptables save command.

Someone told me that the above URL is not valid for CentOS 7. and I should follow this. But this article is not clear to me on exactly what command I need to execute.

I also found

firewall-cmd --zone=public --add-port=2888/tcp 

but this does not survive reboots.

So how can I open the ports and make it survive reboots?

8/14/2018 9:39:59 AM

Accepted Answer

Use this command to find your active zone(s):

firewall-cmd --get-active-zones

It will say either public, dmz, or something else. You should only apply to the zones required.

In the case of public try:

firewall-cmd --zone=public --add-port=2888/tcp --permanent

Then remember to reload the firewall for changes to take effect.

firewall-cmd --reload

Otherwise, substitute public for your zone, for example, if your zone is dmz:

firewall-cmd --zone=dmz --add-port=2888/tcp --permanent
3/27/2018 8:06:10 PM

The answer by ganeshragav is correct, but it is also useful to know that you can use:

firewall-cmd --permanent --zone=public --add-port=2888/tcp 

but if is a known service, you can use:

firewall-cmd --permanent --zone=public --add-service=http 

and then reload the firewall

firewall-cmd --reload

[ Answer modified to reflect Martin Peter's comment, original answer had --permanent at end of command line ]


CentOS (RHEL) 7, has changed the firewall to use firewall-cmd which has a notion of zones which is like a Windows version of Public, Home, and Private networks. You should look here to figure out which one you think you should use. EL7 uses public by default so that is what my examples below use.

You can check which zone you are using with firewall-cmd --list-all and change it with firewall-cmd --set-default-zone=<zone>.

You will then know what zone to allow a service (or port) on:

firewall-cmd --permanent --zone=<zone> --add-service=http

firewall-cmd --permanent --zone=<zone> --add-port=80/tcp

You can check if the port has actually be opened by running:

firewall-cmd --zone=<zone> --query-port=80/tcp

firewall-cmd --zone=<zone> --query-service=http

According to the documentation,

When making changes to the firewall settings in Permanent mode, your selection will only take effect when you reload the firewall or the system restarts.

You can reload the firewall settings with: firewall-cmd --reload.


Fedora, did it via iptables

sudo iptables -I INPUT -p tcp --dport 3030 -j ACCEPT
sudo service iptables save

Seems to work


To view open ports, use the following command.

firewall-cmd --list-ports

We use the following to see services whose ports are open.

firewall-cmd --list-services

We use the following to see services whose ports are open and see open ports

firewall-cmd --list-all

To add a service to the firewall, we use the following command, in which case the service will use any port to open in the firewall.

firewall-cmd --add-services=ntp 

For this service to be permanently open we use the following command.

firewall-cmd —add-service=ntp --permanent 

To add a port, use the following command

firewall-cmd --add-port=132/tcp  --permanent

To run the firewall must be reloaded using the following command.

firewall-cmd --reload

Ya Ali


While ganeshragav and Sotsir provide correct and directly applicable approaches, it is useful to note that you can add your own services to /etc/firewalld/services. For inspiration, look at /usr/lib/firewalld/services/, where firewalld's predefined services are located.

The advantage of this approach is that later you will know why these ports are open, as you've described it in the service file. Also, you can now apply it to any zone without the risk of typos. Furthermore, changes to the service will not need to be applied to all zones separately, but just to the service file.

For example, you can create /etc/firewalld/services/foobar.xml:

<?xml version="1.0" encoding="utf-8"?>
    This option allows you to create FooBar connections between
    your computer and mobile device. You need to have FooBar
    installed on both sides for this option to be useful.
  <port protocol="tcp" port="2888"/>
  <port protocol="tcp" port="3888"/>

(For information about the syntax, do man firewalld.service.)

Once this file is created, you can firewall-cmd --reload to have it become available and then permanently add it to some zone with

firewall-cmd --permanent --zone=<zone> --add-service=foobar

followed with firewall-cmd --reload to make it active right away.