IPTables

How to Open Ports and Survives from Reboots

Open Port

There’re differences to open port between Enterprise Linux (EL) 6 and 7, although they are IPTABLES operating underneath.

  • EL6 uses iptables to manage chains and rules. And it uses iptables-save to save the result to a target file.
  • EL7 uses firewall-cmd to manage zones, chains and rules. And it saves the current setting by adding an option –permanent.

Enterprise Linux hereby means Red Hat Enterprise Linux or its clones like CentOS or Oracle Enterprise Linux, etc.

Open Port only for Runtime

For example, if you’d like to open port 80 at runtime:

On EL 6, please do this:

[root@el6 ~]# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

On EL 7, please do this:

[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp
success

You can see the port 80 are opened right away on both platforms, but they are only effective in the current OS instance. They can’t persist across reboots.

To persist the run-time (memory) settings into the permanent zone file, you can do this:

[root@el7 ~]# firewall-cmd --runtime-to-permanent
success

Open Port Permanently

To persist across reboots, you must save the current setting permanently.

On EL 6, please do this:

[root@el6 ~]# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
[root@el6 ~]# iptables-save > /etc/sysconfig/iptables

On EL 7, please do this:

[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp
success
[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success

After saving the current setting, please reboot your server to verify the result.

[root@el7 ~]# init 6

More on EL 7.

The following two commands on EL 7 have the same effects, but with different records in zone configuration file.

[root@el7 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[root@el7 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  ...
  <service name="http"/>
  ...
  <port protocol="tcp" port="80"/>
  ...
</zone>

In my opinion, I’d rather use –add-service than –add-port to get more flexibility.

The following two commands on EL 7 have the same effects at runtime.

[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp
success
[root@el7 ~]# iptables -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
[root@el7 ~]# iptables -L IN_public_allow -n
Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
...
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW

From outside of the server, you may use telnet to know the port whether open or close.

For more information about using firewall-cmd, you may refer to this documentation: FirewallD: Working with firewalld. Or Red Hat official documentation: 4.5. USING FIREWALLS.

Leave a Reply

Your email address will not be published. Required fields are marked *