How to open a port in the firewall on CentOS or RHEL

Question: I am running a web/file server on my CentOS box, and to access the server remotely, I need to modify a firewall to allow access to a TCP port on the box. What is a proper way to open a TCP/UDP port in the firewall of CentOS/RHEL?

Out of the box, enterprise Linux distributions such as CentOS or RHEL come with a powerful firewall built-in, and their default firewall rules are pretty restrictive. Thus if you install any custom services (e.g., web server, NFS, Samba), chances are their traffic will be blocked by the firewall rules. You need to open up necessary ports on the firewall to allow their traffic.

On CentOS/RHEL 6 or earlier, the iptables service allows users to interact with netfilter kernel modules to configure firewall rules in the user space. Starting with CentOS/RHEL 7, however, a new userland interface called firewalld has been introduced to replace iptables service.

To check the current firewall rules, use this command:

$ sudo iptables -L

Now let's see how we can update the firewall to open a port on CentOS/RHEL.

Open a Port on CentOS/RHEL 7

Starting with CentOS and RHEL 7, firewall rule settings are managed by firewalld service daemon. A command-line client called firewall-cmd can talk to this daemon to update firewall rules permanently.

To open up a new port (e.g., TCP/80) permanently, use these commands.

$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
$ sudo firewall-cmd --reload

Without "--permanent" flag, the firewall rule would not persist across reboots.

Check the updated rules with:

$ firewall-cmd --list-all

Open a Port on CentOS/RHEL 6

On CentOS/RHEL 6 or earlier, the iptables service is responsible for maintaining firewall rules.

Use iptables command to open up a new TCP/UDP port in the firewall. To save the updated rule permanently, you need the second command.

$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo service iptables save

Another way to open up a port on CentOS/RHEL 6 is to use a terminal-user interface (TUI) firewall client, named system-config-firewall-tui.

$ sudo system-config-firewall-tui

Choose "Customize" button in the middle and press ENTER.

If you are trying to update the firewall for any well-known service (e.g., web server), you can easily enable the firewall for the service here, and close the tool. If you are trying to open up any arbitrary TCP/UDP port, choose "Forward" button and go to a next window.

Add a new rule by choosing "Add" button.

Specify a port (e.g., 80) or port range (e.g., 3000-3030), and protocol (e.g., tcp or udp).

Finally, save the updated configuration, and close the tool. At this point, the firewall will be saved permanently.

Download this article as ad-free PDF (made possible by your kind donation): 
Download PDF

Subscribe to Ask Xmodulo

Do you want to receive Linux related questions & answers published at Ask Xmodulo? Enter your email address below, and we will deliver our Linux Q&A straight to your email box, for free. Delivery powered by Google Feedburner.


Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

5 thoughts on “How to open a port in the firewall on CentOS or RHEL

  1. Please let me know what is the -m string in iptables command:

    $ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT

    Thanks,
    Bharat Lalwani

    • "-m" or --match option is followed by the matching module name (e.g., tcp). After "-m tcp", you can specify extra options related to TCP (e.g., --dport 80).

  2. #####Quick Config (CentOS)#####
    yum update -y
    yum install libevent python-devel
    yum install openssl-devel
    yum install swig
    pip install M2Crypto
    yum install python-setuptools && easy_install pip
    pip install shadowsocks

    nano /etc/shadowsocks.json

    {
    "server":"IP_ADDRESS",
    "server_port":12657,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"123456",
    "timeout":300,
    "method":"aes-192-cfb",
    "fast_open": false,
    "workers": 1
    }

    iptables -I INPUT -p tcp -m tcp --dport 12657 -j ACCEPT
    service iptables save

    ssserver -c /etc/shadowsocks.json -d start
    ssserver -c /etc/shadowsocks.json -d stop

  3. Why does no one ever tell how to get the $ prompt? Everyone assumes this is general knowledge and it is not. Try searching for it on Google.

    If you're going to explain something, Please Explain It All.

    • @ScubaGolfjim, you get $ prompt when you login as other user other than root, for instant login as scubagolfjim.

Leave a comment

Your email address will not be published. Required fields are marked *