Basic firewall rules on centos 7


Firewalld is one of the strongest tools on Linux system. This tool basically used to control network traffic and port forwarding. Just in this tool we have very rich library for various kind of works. We will start this article by starting and enabling firewalld service. Run the below two commands for starting and enabling this service.

#systemctl start firewalld

#systemctl enable firewalld

From here we can start our learning about this very important tool.

First of all this service needs to permit the port of the service to start communication through network. So we need to add the port or service name to the firewalld. The below command is an good example.

#firewalld-cmd                 – -permanent  –add-port= (port number)/(TCP/UDP)

The above command is one of the simplest command for firewalld-cmd commands. By now we already know that after the main command the rests are parameters or options. In this command we can use more than one options to get our job done. In below I would try my best to provide the most common and useful options for firewalld.

Here on our last example we can see that we used an option which is “permanent”. This permanent literally means that this rule will be permanent until we remove it. Also “add-port” means that we are adding this port to our firewalld system for allowing the service or the port.

Similar way there is some other important options I would describe in below.

–new-ipset=(IP list name)

This above option is required to set a particular range of IPs into a set. So that we can use the whole ip set for a single purpose. This is usually used with another option which is — type=hash:ip. Which means the system will use hash algorithm on IP and save those ip with encrypted form.  The below command is used to create a ip list.

#firewall-cmd –permanent –new-ipset=testlist –type=hash:ip

Usually we have to put IP into this ipset. To do so, we have to follow the below command.

#firewall-cmd –ipset=testlist –add-entry=(IP address)

After that we have to put that IP list into a zone. So run the below command.

#firewall-cmd –permanent–zone=public –add-source=ipset:testlist

#firewall-cmd –reload

On this part we need to be introduced with another important option which is “add-source”. This is another most commonly used option to those who are maintaining firewall or network traffic. Using this option we usually put an IP address or a list of IP addresses into the system to process on necessary. To add an IP address to the system we have to follow the below command.

#firewall-cmd –permanent–zone=public –add-source=(IP address or IP address range)

Well until now we learned how we can add different properties into our system. Also we need to know how to remove them from our system. That is actually way more easy then adding. Just instead of using add, we have to user remove. So our “add-source” will be “remove-source” and “add-entry” will be “remove-entry”.

We have another good option to keep a proper report. In below we will learn few about those options.


— get-active-zones

— new-zone



These above five zone related options are used to find zones and their current activities. The last one is able to show the details about a zone. This is very useful option for a new system administrator for finding rules and other information.

There are few more works we can do using this tool. Mostly there are NAT, REDIRECT, POSTROUTE and PREROUTE. So we will learn about these on our next articles.

Leave A Reply

Your email address will not be published.