Open Port
There're differences to open port between Enterprise Linux (EL) 6 and 7, although they are IPTABLES operating underneath.
- EL6 uses iptables to manage chains and rules. And it uses iptables-save to save the result to a target file.
- EL7 uses firewall-cmd to manage zones, chains and rules. And it saves the current setting by adding an option --permanent.
Enterprise Linux hereby means Red Hat Enterprise Linux or its clones like CentOS or Oracle Enterprise Linux, etc.
Open Port only for Runtime
For example, if you'd like to open port 80 at runtime:
On EL 6, please do this:
[root@el6 ~]# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
On EL 7, please do this:
[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp
success
You can see the port 80 are opened right away on both platforms, but they are only effective in the current OS instance. They can't persist across reboots.
To persist the run-time (memory) settings into the permanent zone file, you can do this:
[root@el7 ~]# firewall-cmd --runtime-to-permanent
success
Open Port Permanently
To persist across reboots, you must save the current setting permanently.
On EL 6, please do this:
[root@el6 ~]# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
[root@el6 ~]# iptables-save > /etc/sysconfig/iptables
On EL 7, please do this:
[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp
success
[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
After saving the current setting, please reboot your server to verify the result.
[root@el7 ~]# init 6
More on EL 7.
The following two commands on EL 7 have the same effects, but with different records in zone configuration file.
[root@el7 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[root@el7 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
...
<service name="http"/>
...
<port protocol="tcp" port="80"/>
...
</zone>
In my opinion, I'd rather use --add-service than --add-port to get more flexibility.
The following two commands on EL 7 have the same effects at runtime.
[root@el7 ~]# firewall-cmd --zone=public --add-port=80/tcp
success
[root@el7 ~]# iptables -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
[root@el7 ~]# iptables -L IN_public_allow -n
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
...
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
From outside of the server, you may use telnet to know the port whether open or close.
For more information about using firewall-cmd, you may refer to this documentation: FirewallD: Working with firewalld. Or Red Hat official documentation: 4.5. USING FIREWALLS.