Since CentOS7, same as
iptables has been changed to
For more information about
systemclt, please check here: CentOS7 Systemctl Cheat Sheet
Please note that iptables and firewalld cannot run at the same time. If both services are installed, one will stop automatically when the other one is started. You can install
iptables-services package to use iptables service.
Since CentOS7, firewalld use the idea of
services. Each zone can have its own firewall setting rules. When server is configured to particular zone, the rules set inside the zone apply to the server network. Services are equal to the ports that you want to allow or deny.
There are nine default zones set by CentOS7, which are
For more information about each zone, please refer: Documentation - Zone - Predefined Zones | firewalld
As usual, we begin with
-h and it will list out many many many many options!!
1 firewall-cmd -h
Now it is important to know all the zones available in our server, the default zone and the zone it is using right now.
1 2 3 firewall-cmd --get-zones firewall-cmd --get-default-zone firewall-cmd --get-active-zone
we can see that right now our server is using the zone
Now list out all the predefined services.
1 firewall-cmd --get-services
Check out current status of firewall rule.
1 firewall-cmd --list-all
We can see that right now there are two services that is set open/allow to all, which are ssh and dhcpv6-client.
Let’s add http service to firewall rule. Before we start, let’s check the status first. My destination server ip is 192.168.122.206, http service is not set in the firewall rule, I can see that 80 port is running on the server and I can access to 80 port within
But from my source server,
coffee, accessing to
blogdemo's 80 port is failed.
Now add http service to
blogdemo's firewall rule.
--zone=public is not mandatory but it is also good to have command as specific as possible.
1 firewall-cmd --add-service=http --zone=public
Now try to access
blogdemo's 80 port again from
Now if we reload firewalld, we will find that http is remove from service. That’s because when we add http service, it was loaded into the memory but when we reload it, it actually read all the configure from a file located at
/etc/firewalld/zones/public.xml. Which work just the same way as iptables.
1 firewall-cmd --reload
Therefore if we want to add a service permanently, we append –permanent at the end of the command and the change is write into the .xml file directly, then we have to reload the service right away so the changes will take effect from .xml file into memory. Steps are demonstrates at the image below.
1 firewall-cmd --add-service=http --zone=public --permanent
Next we are going to add particular ip with particular service to the rule AND particular ip to all services. For achieving this, we use
--add-rich-rule. Do not forget to reload so the rules will take effect. For checking rich rules, we can use
1 2 3 firewall-cmd --add-source=192.168.122.1/32 --zone=public --permanent firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.122.0/24 service name=ssh accept' --permanent firewall-cmd --list-rich-rules
For removing rules, just simply change
remove. Again, don’t forget to reload.
1 2 3 firewall-cmd --remove-service=http --zone=public firewall-cmd --remove-source=192.168.122.1/32 --zone=public --permanent firewall-cmd --remove-rich-rule='rule family=ipv4 source address=192.168.122.0/24 service name=ssh accept' --permanent
Home | firewalld
CentOS 7 Firewalld 防火牆說明介紹 @ 黃昏的甘蔗 :: 隨意窩 Xuite日誌
How To Use Firewalld Rich Rules And Zones For Filtering And NAT
Useful ‘FirewallD’ Rules to Configure and Manage Firewall in Linux
Whitelist source IP addresses in CentOS 7