- How to Open Port for a Specific IP Address in Firewalld
- Open Port for Specific IP Address in Firewalld
- Remove Port and Zone from Firewalld
- Easy steps to open a port in Linux RHEL/CentOS 7/8
- Check port status
- Check list of listening ports
- Open a port for some service
- firewalld open port
- Use nc or ncat to open a port in Linux
- Use nc or ncat to open a port and transfer files
- 5 thoughts on “Easy steps to open a port in Linux RHEL/CentOS 7/8”
How to Open Port for a Specific IP Address in Firewalld
How can I allow traffic from a specific IP address in my private network or allow traffic from a specific private network through firewalld, to a specific port or service on a Red Hat Enterprise Linux (RHEL) or CentOS server?
In this short article, you will learn how to open a port for a specific IP address or network range in your RHEL or CentOS server running a firewalld firewall.
The most appropriate way to solve this is by using a firewalld zone. So, you need to create a new zone that will hold the new configurations (or you can use any of the secure default zones available).
Open Port for Specific IP Address in Firewalld
First create an appropriate zone name (in our case, we have used mariadb-access to allow access to the MySQL database server).
# firewall-cmd --new-zone=mariadb-access --permanent
Next, reload the firewalld settings to apply the new change. If you skip this step, you may get an error when you try to use the new zone name. This time around, the new zone should appear in the list of zones as highlighted in the following screenshot.
# firewall-cmd --reload # firewall-cmd --get-zones
Next, add the source IP address (10.24.96.5/20) and the port (3306) you wish to open on the local server as shown. Then reload the firewalld settings to apply the new changes.
# firewall-cmd --zone=mariadb-access --add-source=10.24.96.5/20 --permanent # firewall-cmd --zone=mariadb-access --add-port=3306/tcp --permanent # firewall-cmd --reload
Alternatively, you can allow traffic from the entire network (10.24.96.0/20) to a service or port.
# firewall-cmd --zone=mariadb-access --add-source=10.24.96.0/20 --permanent # firewall-cmd --zone=mariadb-access --add-port=3306/tcp --permanent # firewall-cmd --reload
To confirm that the new zone has the required settings as added above, check its details with the following command.
# firewall-cmd --zone=mariadb-access --list-all
Remove Port and Zone from Firewalld
You can remove the source IP address or network as shown.
# firewall-cmd --zone=mariadb-access --remove-source=10.24.96.5/20 --permanent # firewall-cmd --reload
To remove the port from the zone, issue the following command, and reload the firewalld settings:
# firewall-cmd --zone=mariadb-access --remove-port=3306/tcp --permanent # firewall-cmd --reload
To remove the zone, run the following command, and reload the firewalld settings:
# firewall-cmd --permanent --delete-zone=mariadb-access # firewall-cmd --reload
Last but not list, you can also use firewalld rich rules. Here is an example:
# firewall-cmd --permanent –zone=mariadb-access --add-rich-rule='rule family="ipv4" source address="10.24.96.5/20" port protocol="tcp" port="3306" accept'
Reference: Using and Configuring firewalld in the RHEL 8 documentation.
That’s it! We hope the above solutions worked for you. If yes, let us know via the feedback form below. You can as well ask questions or share general comments about this topic.
Easy steps to open a port in Linux RHEL/CentOS 7/8
In this article I will share examples to check port status and open a port in Linux. This article was written while using CentOS 8, so it is safe to say that it also fully covers CentOS/RHEL 7/8, Fedora, Oracle Enterprise Linux and generally the whole Red Hat family of operating systems and possibly Novell’s SLES and OpenSUSE.
Before we jump into the examples to open a port in Linux, we must understand the requirement clearly. The very basic question which comes to my mind
- Do you need to open a port for a service? Such as a custom port 5555 for apache service?
- Do you mean the port is already listening but blocked by firewall so you want to open a port in firewall?
- Open a port for custom temporary task such as transfer and receive files using this port and then close the port.
We will cover all these scenarios in this article
Check port status
To check the list of existing ports which are open we will use nmap to check port status:
[root@centos-8 ~]# nmap localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-22 12:08 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000024s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 1.71 seconds
Currently we see only two ports are open on my CentOS 8 node.
Check list of listening ports
We will use netstat to list the TCP ports which are in listening state. The total number of ports are higher compared to the nmap output.
[root@centos-8 ~]# netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1627/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 26893/sshd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp6 0 0 . 22 . * LISTEN 26893/sshd tcp6 0 0 . 111 . * LISTEN 1/systemd
Open a port for some service
If this is your requirement then you are looking for the wrong question. Basically it is other way round i.e. a service will open a port. For example when you start SSHD service, by default it will start port 22 and not the other way round i.e. if you open port 22, it will not automatically start SSHD service.
Let us observe this in example, we know that port 22 is open on my CentOS 8 node. If I stop the sshd service
[root@centos-8 ~]# systemctl stop sshd
You can see that port 22 is not open anymore.
[root@centos-8 ~]# netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1627/dnsmasq tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp6 0 0 . 111 . * LISTEN 1/systemd
You must use respective service’s configuration file to change the default port. Once done you can restart the service and that should automatically open the respective port on your Linux node.
This covers the first scenario.
firewalld open port
It is also possible that your ports are disabled in firewall. If your port is not listed in nmap then it is most likely blocked by firewall.
We will use firewalld to open a port as this is the most used interface today in RHEL/CentOS 7 and 8. Determine which zone the system’s network interfaces are in. In the following example, the eth0 and eth1 interface is in the ‘public’ zone:
[root@centos-8 ~]# firewall-cmd --get-active-zones
libvirt
interfaces: virbr0
public
interfaces: eth0 eth1
To permanently firewalld open port in a zone use the —add-port option. The example below permanently opens TCP port 1234 in the ‘public‘ zone. Note that permanent changes do not take effect until the firewalld service is reloaded.
[root@centos-8 ~]# firewall-cmd --zone=public --add-port=1234/tcp --permanent success [root@centos-8 ~]# firewall-cmd --reload success
To make a non-persistent change, issue the same command without the —permanent option set. Any non-permanent change will instantly take effect and will persist until the firewall is reloaded.
Once firewalld open port, next use netstat to check port status:
[root@centos-8 ~]# netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1627/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 28188/sshd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp6 0 0 . 22 . * LISTEN 28188/sshd tcp6 0 0 . 111 . * LISTEN 1/systemd
We still don’t see port 1234 here. This is because currently port 1234 is not bind to any service . So our port is OPEN but NOT LISTENING. As soon as a request or service tries to use port 1234, we will get this in LISTEN state.
Use nc or ncat to open a port in Linux
Let us verify this theory Use nc or ncat to open a port in Linux nc or ncat is delivered as part of nmap-ncat rpm in RHEL/CentOS which you can install using yum or dnf. Use —listen with —port to open a port using nc command. In the below example we open port 1234
[root@centos-8 ~]# nc --listen --source-port 1234
Open another terminal of this server and check port status
[root@centos-8 ~]# netstat -ntlp | grep 1234 tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 28983/nc tcp6 0 0 . 1234 . * LISTEN 28983/nc
As you see port 1234 is listening for both IPv4 and IPv6. To only use IPv4 use -4 with the above command
[root@centos-8 ~]# nc --listen --source-port 1234 -4
Next on another terminal you can check port status for port 1234
[root@centos-8 ~]# netstat -ntlp | grep 1234 tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 29329/nc
Use nc or ncat to open a port and transfer files
We can also use nc to transfer file from one host to another host. Here I will transfer my » inputfile » from centos-8 to rhel-8 On the client we will open a random port, here we will use 9899. I have enabled verbose so you can see more details on the screen
[root@rhel-8 ~]# ncat --verbose --listen 9899 > outputfile Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on . 9899 Ncat: Listening on 0.0.0.0:9899 Ncat: Connection from 192.168.43.250. Ncat: Connection from 192.168.43.250:40242.
Next to start the transfer, use the below command
[root@centos-8 ~]# ncat --verbose 192.168.43.157 9899 < inputfileNcat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connected to 192.168.43.157:9899. Ncat: 19 bytes sent, 0 bytes received in 0.01 seconds.
If you face any issues you can check the firewall between your server and client. It is possible that the respective port is blocked and you must use firewalld open port
Lastly I hope the steps from the article to open a port and check port status on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!
5 thoughts on “Easy steps to open a port in Linux RHEL/CentOS 7/8”
A very thorough and helpful post. I was trying to allow ssh on a secondary port and could not get it to work using the usual advice (w/CentOS8.)
The recommendation you provided to add the port using the firewall-cmd was the missing ingredient:
firewall-cmd --zone=public --add-port=22/tcp --permanent firewall-cmd --reload
Hi
I did below steps and reloaded firewall but still when I do netstat -ntlp port 1234 not showing open
[root@centos-8 ~]# firewall-cmd --zone=public --add-port=1234/tcp --permanent success [root@centos-8 ~]# firewall-cmd --reload success
We still don’t see port 1234 here. This is because currently port 1234 is not bind to any service. So our port is OPEN but NOT LISTENING. As soon as a request or service tries to use port 1234, we will get this in LISTEN state.
Hi,
I did the below steps and it worked.
When I use scan port (http://ports.my-addr.com/ip-range-port-scanner-tool.php), the first time the result is open, but the second time the result is closed (port is open but not listening).
How to make the port always listen? Reply
I assume you are asking about nc command. By default nc will close the connection after current connection is completed. To keep it active use -k along with -l Reply