In order to establish a network connection, you need to open a port on your Linux system. There are several methods for doing this, including using the built-in firewall programs FirewallD, UFW, and iptables. Each of these methods has its own set of advantages and disadvantages, and in this article, we will discuss how to open a port in Linux using each of these methods.

Check Listening Ports on Your System

You can use `ss` or `netstat` command line utility to list all the ports listening on your local system.

ss -tuln 

This command will list all the ports listening on your machine along with the socket connected to that ports. You can filter the listening port with the following command.

ss -tuln | grep "LISTEN" 

You will see output like below:

Output
tcp   LISTEN  0       5             127.0.0.1:631          0.0.0.0:*
tcp   LISTEN  0       100             0.0.0.0:25           0.0.0.0:*
tcp   LISTEN  0       100             0.0.0.0:143          0.0.0.0:*
tcp   LISTEN  0       4096            0.0.0.0:111          0.0.0.0:*
tcp   LISTEN  0       4096      127.0.0.53%lo:53           0.0.0.0:*
tcp   LISTEN  0       128             0.0.0.0:22           0.0.0.0:*
tcp   LISTEN  0       5                 [::1]:631             [::]:*
tcp   LISTEN  0       100                [::]:25              [::]:*
tcp   LISTEN  0       511                   *:443                *:*
tcp   LISTEN  0       70                    *:33060              *:*
tcp   LISTEN  0       151                   *:3306               *:*
tcp   LISTEN  0       511                   *:80                 *:*
tcp   LISTEN  0       128                [::]:22              [::]:*

Opening a Port with FirewallD:

FirewallD is a firewall management tool that is included in many popular Linux distributions, including CentOS, Fedora, and Red Hat Enterprise Linux. It provides a simple and easy-to-use interface for configuring the firewall rules on your system.

• List Services: To open a port with FirewallD, you first need to check if the service you want to allow is listed in the predefined service list. You can do this by running the following command:

  firewall-cmd --get-services 
  

  This will display a list of all the predefined services that are supported by FirewallD.

• Open Port by Service Name: If the service you want to allow is listed, you can open the port by running the following command:

  # Syntax
  firewall-cmd --permanent --add-service=service_name

  Replace “service_name” with the name of the service you want to allow. For example, to open port 80 for HTTP traffic, you would run the following command:

  firewall-cmd --permanent --add-service=http 
  

• Open Port by Number: If the service you want to allow is not listed in the predefined service list, you can open a specific port by running the following command:

  # Syntax
  firewall-cmd --permanent --add-port=port_number/protocol

  Replace “port_number” with the number of the port you want to open, and “protocol” with the protocol used by the service (either “tcp” or “udp”). For example, to open port 8080 for HTTP traffic using the TCP protocol, you would run the following command:

  firewall-cmd --permanent --add-port=8080/tcp 
  

Save the firewall rules: Once you have added the necessary firewall rule, you need to reload the firewall to apply the changes. You can do this by running the following command:

firewall-cmd --reload 

Opening a Port with UFW:

UFW (Uncomplicated Firewall) is a firewall management tool that is included in many popular Linux distributions, including Ubuntu and Linux Mint. It provides a simple and easy-to-use interface for configuring the firewall rules on your system.

• List Services: To open a port with UFW, you first need to check if the service you want to allow is listed in the predefined service list. You can do this by running the following command:

  ufw app list 
  

  This will display a list of all the predefined services that are supported by UFW.

• Open Port by Service name: If the service you want to allow is listed, you can open the port by running the following command:

  # Syntax
  ufw allow service_name

  Replace “service_name” with the name of the service you want to allow. For example, to open port 80 for HTTP traffic, you would run the following command:

  ufw allow http 
  

• Open port by number: If the service you want to allow is not listed in the predefined service list, you can open a specific port by running the following command:

  # Syntax
  ufw allow port_number/protocol

  Replace “port_number” with the number of the port you want to open, and “protocol” with the protocol used by the service (either “tcp” or “udp”). For example, to open port 8080 for HTTP traffic using the TCP protocol, you would run the following command:

  ufw allow 8080/tcp 
  

• Check firewall status: Once you have added the necessary firewall rule, you can check the status of the UFW firewall by running the following command:

  ufw status 
  

  This will display a list of all the active firewall rules, along with their status (either “enabled” or “disabled”).

You can also use the UFW command line interface to enable or disable specific rules, or to delete them altogether.

Opening a Port with Iptables:

Iptables is a powerful firewall management tool that is included in most Linux distributions. It provides a wide range of options for configuring the firewall rules on your system, but it can be more complex to use than FirewallD and UFW.

• Open Port by Number: To open a port with iptables, you need to use the “iptables” command followed by the appropriate options and arguments. For example, to open port 80 for HTTP traffic using the TCP protocol, you would run the following command:

  iptables -A INPUT -p tcp --dport 80 -j ACCEPT 
  

  This command adds a new firewall rule that allows incoming traffic on port 80 using the TCP protocol. The “-A” option specifies that the rule should be appended to the end of the INPUT chain, and the “-j” option specifies the action to be taken (in this case, ACCEPT).

• Open Port Range: If you want to open a range of ports, you can use the “-m multiport” module and specify the range of ports separated by a comma. For example, to open ports 80 to 90 for HTTP traffic using the TCP protocol, you would run the following command:

  iptables -A INPUT -p tcp -m multiport --dports 80:90 -j ACCEPT 
  

• Save firewall rules: Once you have added the necessary firewall rule, you can save the iptables configuration by running the following command:

  service iptables save 
  

  This will save the current firewall configuration to the appropriate configuration file so that the rules are applied every time the system is restarted.

Conclusion

In this article, we explored three different tools that can be used to open a port in Linux: FirewallD, UFW, and iptables. FirewallD is a firewall management tool that provides a front-end interface for iptables. It is a user-friendly tool that allows you to easily manage your firewall rules. UFW is another user-friendly firewall tool that allows you to easily open and close ports. Finally, we looked at iptables, which is a more advanced tool that gives you greater control over your firewall. All three of these tools can be used to open a port in Linux and allow network traffic to flow through to specific programs or services. In conclusion, the choice of which tool to use will depend on your level of familiarity with Linux firewalls and your personal preference.

The post How to Open Port in Linux appeared first on TecAdmin.

Open Port for Single IP/Network

For example, the following command will open port `80` for the network `192.168.1.0/24`:

firewall-cmd --permanent --zone=public --add-port=80/tcp --source=192.168.1.0/24 

In this case, the `--source` option specifies that the network 192.168.1.0/24 is allowed to access port 80.

You can also use the `--source` option to specify a single IP address as the source. For example:

firewall-cmd --permanent --zone=public --add-port=80/tcp --source=192.168.1.100 

This will open port 80 for the IP address 192.168.1.100.

Reload the FirewallD configuration to apply the changes. You can do this by running the following command:

firewall-cmd --reload 

Open Port for Multiple IP/Network

You can use the `--add-source` option instead of `--source` to add multiple sources to the rule.

For example, the following command will add the network 192.168.2.0/24 as an additional source for the rule that opens port 80:

firewall-cmd --permanent --zone=public --add-source=192.168.2.0/24 --add-port=80/tcp 

You can add multiple sources by separating them with a space. For example:

firewall-cmd --permanent --zone=public --add-source=192.168.2.0/24 192.168.3.0/24 --add-port=80/tcp 

This will add the networks 192.168.2.0/24 and 192.168.3.0/24 as additional sources for the rule that opens port 80.

Note: You can use the `--source` option instead of `--add-source` to specify a single source for the rule. The –source option will overwrite any existing sources for the rule, while –add-source will add the specified source to the existing list of sources.

Reload the FirewallD configuration to apply the changes. You can do this by running the following command:

firewall-cmd --reload 

You can verify that the port has been opened by using the firewall-cmd command with the –list-ports option. For example `firewall-cmd --zone=public --list-ports` will list all the ports that are open in the public zone.

Conclusion

In conclusion, FirewallD is a powerful tool that can be used to control incoming and outgoing network traffic on a Linux system. It allows you to open specific ports for specific networks, providing an additional layer of security for your system. To open a specific port for a specific network in FirewallD, you will need to install and start the FirewallD service, and then use the firewall-cmd command with the –permanent, –zone, –add-port, and –source options. You can then verify that the port has been opened by using the –list-ports option. By following these steps, you can easily open a specific port for a specific network in FirewallD and improve the security of your system.

The post How to Open Port for a Specific Network in FirewallD appeared first on TecAdmin.

In this tutorial, all the commands are written for MySQL port 3306. You can use the same command for any other ports as per your requirements.

Allow Port for All Traffic

Use the following commands to allow incoming traffic on port 3306 to all traffic coming from public network.

firewall-cmd --zone=public --add-port=3306/tcp

To add rule for permanent use --permanent option with command.

firewall-cmd --permanent --zone=public --add-port=3306/tcp

Allow Port for Specific IP

You can also restrict access on any port based on source address. To open port access based on source address needed to add firewall rich rule.

Run the below command to allow access for port 4567 to 192.168.0.0/24 network.

firewall-cmd --permanent --zone=public --add-rich-rule='
  rule family="ipv4"
  source address="192.168.0.0/24"
  port protocol="tcp" port="3306" accept'

Reload the firewall rules to apply changes.

firewall-cmd --reload

Verify Rules

After adding the rules in firewalld, You can verify the by the running following command.

firewall-cmd --list-all

Output:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.0.0/24" port port="3306" protocol="tcp" accept

The last line of output shows the rich rules added the firewalld.

Remove Rules from Firewalld

If you don’t need to keep the ports open, you can remove/deny the above ports from the firewalld using the –remove-port option:

firewall-cmd --permanent --zone=public --remove-port=3306/tcp

Next, run the following command to apply the changes:

firewall-cmd --reload

Conclusion

In this tutorial, you have learned to open port access to all traffic or specific IP address/network using firewalld on Linux operating systems.

The post How to Open Specific Port in FirewallD appeared first on TecAdmin.

Firewalld is a firewall management solution for many Linux distributions including, Ubuntu, Debian, CentOS, RHEL and Fedora. It acts as a frontend for the iptables filtering system provided by the Linux kernel. It is protocol independent that means it supports IPv4, IPv6, ethernet bridges and IP sets.

Basic Concept of Firewalld

FirewallD uses zones and services instead of iptables chain and rules. Zones are a set of rules that specify what traffic should be allowed depending on the level of trust you have in a network your computers connected to. Network interfaces assigned a zone to dictate a behavior that the firewall should allow.

The firewalld is managed using the firewall-cmd command-line tool. It provides an interface to manage runtime and permanent configuration.

Firewalld Zones

There are 9 pre-defined zones in the Firewalld depending on the level of trust in ascending order.
A brief explanation of each zone are explained below:

• Drop : This zone has the least level of trust and used to drop all incoming traffic without sending any acknowledgment to the sender.
• Block : This zone is very similar to the Drop zone, the incoming traffic is rejected and the sender gets a message.
• Public : Allows traffic from certain public networks.
• External : This zone is used when your system acts as a gateway or router.
• Internal : The set of rules that apply to the computers in your private internal network.
• DMZ : This zone is an isolated patch of computers in your internal network that may not access other internal resources.
• Work : This zone is used for work machines. The trust level is high.
• Home : Most computers in this zone trust each other. The trust level is higher than work.
• Trusted : This zone has the highest trust level. All computers in the network are trusted.

Step 1 – Installing Firewalld

By default, Firewalld is pre-installed on most of the operating systems. But some of the minimal OS installation doesn’t included fiIf not installed, you can install it with the following command:

sudo yum install firewalld        # CentOS/RHEL 8/7/6 
sudo dnf install firewalld        # Fedora and CentOS/RHEL 8 
sudo apt install firewalld        # Ubuntu and Debian  

After installing firewalld, you will need to start and enable it to start after system reboot.

sudo systemctl start firewalld
sudo systemctl enable firewalld

Run the following command to verify the status of firewalld

systemctl status firewalld
[OR] 
firewall-cmd --state

Step 2 – Working with Zones and Services

By default, public is the default zone in firewalld and all network interfaces are configured with public zone. You can list the default zone with the following command:

firewall-cmd --get-default-zone

Output:

public

Next, run the following command to get a list of active zones:

firewall-cmd --get-active-zones

You should get the following output:

public
  interfaces: eth0 eth1

To get a list of all available zones run the following command:

firewall-cmd --get-zones

You should get the following output:

block dmz drop external home internal public trusted work

You can list all services associated with a public zone with the following command:

firewall-cmd --list-all

You should get the following output:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

To change the default zone from public to work run the following command:

firewall-cmd --set-default-zone=work

You can now verify your default zone with the following command:

firewall-cmd --get-default-zone

Output:

work

You can get a list of all available services in your system with the following command:

firewall-cmd --get-services

You should get the following output:

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

Step 3 – Allow and Deny Services in Firewalld

You can allow and deny incoming traffic based on predefined services in firewalld.

For example, to allow all incoming traffic for http service in Public zone run the following command:

firewall-cmd --zone=public --add-service=http

Output:

success

To allow incoming traffic for ftp service in Public zone run the following command:

firewall-cmd --zone=public --add-service=ftp

Output:

success

The above command will add http and ftp service temporary and it is not persistent on reboots. You will need to use the --permanent option to make them permanent as shown below:

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=ftp

Next, run the following command to implement the changes:

firewall-cmd --reload

You can now get a list of added services with the following command:

firewall-cmd --permanent --zone=public --list-services

You should see the following output:

cockpit dhcpv6-client ftp http ssh

You can also check the detail information about Public zone with the following command:

firewall-cmd --info-zone public

Output:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: cockpit dhcpv6-client ftp http ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

If you want to remove/deny the above services from the firewalld, use the --remove-service option:

firewall-cmd --permanent --zone=public --remove-service=http
firewall-cmd --permanent --zone=public --remove-service=ftp

Next, run the following command to apply the changes:

firewall-cmd --reload

Step 4 – Allow and Deny Ports in Firewalld

You can also allow and deny incoming traffic based on the port in firewalld.

For example, allow all incoming traffic on port 8080 and 443, run the following command:

firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=8080/tcp

Next, run the following command to apply the changes:

firewall-cmd --reload

Next, verify the added ports with the following command:

firewall-cmd --permanent --zone=public --list-ports

Output:

443/tcp 8080/tcp

Similarly remove/deny the above ports from the firewalld, use the –remove-port option:

firewall-cmd --permanent --zone=public --remove-port=443/tcp
firewall-cmd --permanent --zone=public --remove-port=8080/tcp

Next, run the following command to apply the changes:

firewall-cmd --reload

Step 5 – Port Forwarding with Firewalld

Port forwarding is the process that redirects request from IP/port combination and redirect it to a different IP and/or port. This technique allows remote machines to connect to a specific service within a private network.

Before configuring port forwarding, you need to activate masquerade in the desired zone. You can activate it using the --add-masquerade option:

firewall-cmd --zone=public --add-masquerade

Next, to forwards traffic from port 80 to port 8080 on the same server run the following command:

firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=8080

If you want to forwards traffic from local port 80 to port 8080 on a remote server with IP address 192.168.1.200 run the following command:

firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.1.200

Next, run the following command to apply the changes:

firewall-cmd --reload

If you want to remove the above rules, replace –add with –remove as shown below:

firewall-cmd --permanent --zone=public --remove-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.1.200
firewall-cmd --permanent --zone=public --remove-forward-port=port=80:proto=tcp:toport=8080

Conclusion

In the above guide, you learned the basic concept of Firewalld and how to implement it on the Linux operating system. I hope you can now limit unnecessary incoming traffic with firewalld.

The post What is FirewallD And How To Implement On Linux appeared first on TecAdmin.

Allow HTTP/s in Firewalld

You can allow and deny incoming traffic based on predefined services in firewalld. You can find the complete list of services in /etc/services file.

Let’s allow HTTP and HTTPS service via the firewalld.

firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --add-service=https

The above rules will be removed after system reboot. Use the --permanent option to add rules permanent in firewalld.

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https

Next, run the following command to apply the changes:

firewall-cmd --reload

Check Allowed Services

You can find the list of added services with the following command:

firewall-cmd --permanent --zone=public --list-services

You should see the results like:

cockpit dhcpv6-client http https ssh

Disable Services from Firewalld

If you want to remove/deny the above services from the firewalld, use the --remove-service option:

firewall-cmd --permanent --zone=public --remove-service=http
firewall-cmd --permanent --zone=public --remove-service=ftp

Next, run the following command to apply the changes:

firewall-cmd --reload

Conclusion

In this tutorial, you have learned to allow/deny services in firewalld via command line.

The post How to Allow HTTP and HTTPS Services in FirewallD appeared first on TecAdmin.

Allow Port 80 & 443 in FirewallD

Using firewalld, you can allow/deny any port temporarily or permanently. The temporary allow/deny rules will be removed after the system reboot. But the permanent rules will persist even after the system restart.

The following commands allow incoming traffic on TCP ports 80 and 443 in firewalld.

sudo firewall-cmd --zone=public --add-port=80/tcp 
sudo firewall-cmd --zone=public --add-port=443/tcp 

The --permanent option insures to remain firewall rules after system reboots.

sudo firewall-cmd --permanent --zone=public --add-port=80/tcp 
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp 

Next, apply the changes by reloading the firewallD.

sudo firewall-cmd --reload 

View Firewall Rules

After adding the rules in firewalld, You can verify the by the running following command.

sudo firewall-cmd --permanent --zone=public --list-ports 

Output:

443/tcp 8080/tcp

Remove Rules from FirewallD

If you don’t need to keep the ports open, you can remove/deny the above ports from the firewalld using the –remove-port option:

sudo firewall-cmd --permanent --zone=public --remove-port=80/tcp 
sudo firewall-cmd --permanent --zone=public --remove-port=443/tcp 

Next, run the following command to apply the changes:

sudo firewall-cmd --reload 

Conclusion

This tutorial helped you to open port 80 and 443 through the firewalld on Linux operating systems.

The post How to Open Port 80 & 443 in FirewallD appeared first on TecAdmin.

Disable Firewalld Service

Before installing and using iptables services on CentOS and Red Hat 7 systems, we need to disable firewalld service. To completely disable firewalld service use following commands.

sudo systemctl stop firewalld
sudo systemctl mask firewalld

Now check firewalld status

sudo systemctl status firewalld

firewalld.service
   Loaded: masked (/dev/null)
   Active: inactive (dead) since Fri 2015-02-27 11:09:37 EST; 56s ago
 Main PID: 7411 (code=exited, status=0/SUCCESS)

Feb 27 11:02:18 svr10 systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 27 11:09:36 svr10 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Feb 27 11:09:37 svr10 systemd[1]: Stopped firewalld - dynamic firewall daemon.

Install Iptables on CentOS/RHEL 7

Now install iptables service using yum package manager using the following command.

sudo yum install iptables-services

After installing enable iptables service and start using below commands.

sudo systemctl enable iptables
sudo systemctl start iptables

Now check the iptables service status using below command.

sudo systemctl status iptables

To list iptables rules use the following command.

sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source       destination
ACCEPT     all  --  anywhere     anywhere       state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere     anywhere     
ACCEPT     all  --  anywhere     anywhere     
ACCEPT     tcp  --  anywhere     anywhere       state NEW tcp dpt:ssh
REJECT     all  --  anywhere     anywhere       reject-with icmp-host-prohibited
                                              
Chain FORWARD (policy ACCEPT)                 
target     prot opt source       destination  
REJECT     all  --  anywhere     anywhere       reject-with icmp-host-prohibited
                                              
Chain OUTPUT (policy ACCEPT)                  
target     prot opt source       destination  

The post How do I Install and Use Iptables on CentOS/RHEL 7 appeared first on TecAdmin.