PDF download Download Article PDF download Download Article

Do you need to allow inbound or outbound connections to your Linux system? If you're using firewall software like Iptables, Uncomplicated Firewall (UFW), or Firewalld, you can easily open ports from the command line. For products like ConfigServer Firewall (CSF) and Advanced Policy Firewall (ADP), adding firewall rules to open ports is as simple as editing your firewall configuration file. This wikiHow article will walk you through opening and closing ports on 5 of the most common firewalls for Ubuntu, Debian, CentOS, Red Hat, Fedora, and other Linux distributions.

Things You Should Know

  • You can easily open TCP and UDP ports in any Linux-based firewall product.
  • Iptables is preinstalled on most Linux distributions and is very easy to configure.
  • If you're using Firewalld, adding the --permanent flag to firewall-cmd commands ensures your changes won't be undone when you stop and restart the firewall.
Method 1
Method 1 of 5:

Iptables

PDF download Download Article
  1. Most Linux distributions, including Ubuntu, Debian, CentOS , Fedora, and Red Hat, come with IPtables already installed. You can open ports in Iptables using simple commands.
  2. If the firewall isn't running, start it using service iptables start . [1]
    Advertisement
  3. The rules are broken into chains:
    • The INPUT chain for inbound connections to the host system.
    • The FORWARD chain is used for routing.
    • The OUTPUT chain is used for outbound data leaving the host system.
    • Each chain has a policy that determines what happens to packets. When you open a port, you'll need to specify the chain. For example, to open incoming SSH connections, you'd use the INPUT chain.
  4. In this example, we're opening incoming connections to port 22, but you can replace 22 with the port you want to open.
    • If you're opening an outbound port, replace INPUT with OUTPUT .
    • If opening a UDP port, replace tcp with udp .
    • To only open the port to a particular IP address or subnet, use sudo iptables -I INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -j ACCEPT
  5. If that doesn't work, try one of these commands:
    • sudo /sbin/iptables-save for Ubuntu and Debian.
    • /sbin/service iptables save for CentOS, Red Hat, and Fedora.
    • To close a port, use iptables -I INPUT -p tcp –-dport 22 -j REJECT . Replace "22" with the port you want to close—and definitely don't close port 22 if you're currently SSH'd into the server!
  6. Advertisement
Method 2
Method 2 of 5:

Uncomplicated Firewall

PDF download Download Article
  1. UFW is preinstalled on all Ubuntu systems. If you're logged in to the GUI interface, open a terminal window . [2]
  2. If UFW is already running, you'll see a status message, as well as a list of any firewall rules (including opened ports) that already exist. [3]
    • If you see a message that says Status: inactive , you'll need to enable the firewall:
    • Type sudo ufw enable and press Enter to start the firewall. [4]
    • To turn on firewall logging, use sudo ufw logging on .
  3. For example, if you want to open the SSH port (22), you'd type kbd and press Enter to open the port. There's no need to restart the firewall, as the change will take effect immediately. [5]
    • If the port you're opening is for a service listed in /etc/services , you can just type the service's name instead of the port number. Example: sudo ufw allow ssh .
    • To open a specific range of ports, use the syntax sudo ufw allow 6000:6007/tcp , replacing 6000:6007 with the actual range. If the range is UDP ports, replace tcp with udp .
    • To specify an IP address that can access the port, use this syntax: sudo ufw allow from 10.0.0.1 to any port 22 . Replace 10.0.0.1 with the IP address, and 22 with the port you want to open to that address.
    • To close a port, use sudo ufw deny 22 , replacing 22 with the port you want to close.
  4. Any ports that aren’t specifically opened are blocked by default. If you open a port and decide you want to close it, use these steps: [6]
    • Type sudo ufw status numbered and press Enter . This displays a list of all firewall rules, each beginning with a number to represent it in the list.
    • Identify the number at the beginning of rule you want to delete. For example, let's say you want to remove the rule that opens port 22 (don't do this if you're currently using SSH to access the server), and that rule is listed on line 2.
    • Type sudo ufw delete 2 and press Enter to remove the rule at line 2.
  5. Advertisement
Method 3
Method 3 of 5:

Firewalld

PDF download Download Article
  1. If you're using Firewalld on your CentOS, Red Hat Enterprise, SUSE, or Fedora system, you can easily open ports from the command line. Firewalld is the default firewall solution for all of these distributions. [7]
  2. The PUBLIC zone is
    • Alternatively, you can view the entire firewalld configuration and view all allowed and denied ports and services by running sudo firewall-cmd --list-all . [8]
  3. In this example, we'll show you how to open the SSH port (22) to remote access:
    • firewall-cmd --zone=public --add-port=22/tcp instantly opens the port, but does not make the change permanent.
    • To make the change permanent, add the --permanent flag to the command: firewall-cmd --zone=public --permanent --add-port=22/tcp . [9]
    • To open a UDP port, replace tcp with udp .
    • To open the port by service name, use firewall-cmd --zone=public --permanent .
  4. If you only want to allow connections to or from one IP, you'll need to create a new firewall zone for that address.
    • To create a new zone, use firewall-cmd --new-zone=MYZONENAME --permanent .
    • Then, run firewall-cmd –reload to refresh your configuration.
    • Run firewall-cmd --get-zones to view your zones—you'll see your new zone now.
    • To link the IP address to the zone, use firewall-cmd --zone=MYZONENAME --add-source=10.0.0.1 --permanent . Replace the same IP address with the proper address.
    • Then, open the port to the zone by specifying the zone name instead of "public:" firewall-cmd --zone=MYZONENAME --permanent --add-port=22/tcp .
  5. If you need to close a port, you can do so using different flags with the firewall-cmd command. In this example, we'll close port 22 to the public permanently: firewall-cmd --zone=public --remove-port=22/tcp --permanent . [10]
  6. Advertisement
Method 4
Method 4 of 5:

ConfigServer Firewall

PDF download Download Article
  1. If you're not logged in as the root user, you can su to root to adjust your configuration, or preface commands with sudo .
  2. The file is called csf.conf , and it's saved to /etc/csf/csf.conf by default. [11] To do this, type cd /etc/csf and press Enter .
  3. You can use any text editor you wish, such as vim or nano.
    • To open csf.conf in vim, type vim csf.config and press Enter .
  4. TCP ports. Once you have the file open, you will see TCP_IN and TCP_OUT sections. The TCP_IN section lists open inbound TCP ports separated by commas. The ports are in numerical order to make things easy, but it's not required that the ports you stick to the order. You can add ports to the end of the sequence, just separate them with commas.
    • For example, let's say you want to open port 999, and the current open ports are 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995 .
    • After adding port 999 to the list, it will look like this: 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 999 .
    • To get into insertion/typing mode in vim, press the i key on the keyboard.
  5. Just as you did with the incoming port, add any outbound TCP ports you'd like to open to the TCP_OUT list.
  6. Follow these steps to save and exit the file:
    • Press the Esc key.
    • Type :wq! .
    • Press Enter .
  7. This restarts the firewall and opens the new ports.
    • To deny a port, re-open the file, delete the port, save the file, and then re-start the firewall.
  8. Advertisement
Method 5
Method 5 of 5:

Advanced Policy Firewall

PDF download Download Article
  1. If you're using APF on your Linux system, you'll make changes to your firewall configuration in the APF configuration file.
  2. The file you're looking for is called conf.apf , and it'll be in /etc/apf by default. [12] Type cd /etc/apf to enter that directory.
  3. You can use any text editor you wish, such as vim or nano.
    • To open conf.apf in vim, you'd type sudo vim /etc/apf/conf.apf and press Enter .
  4. Once you have the file open, you will see IG_TCP_CPORTS and EG_TCP_CPORTS sections. The IG_TCP_CPORTS section lists open inbound ports separated by commas. The ports are listed in numerical order to make things easy, but it's not required to stick with it. You can add ports to the end of the sequence, just separate them with commas.
    • For example, let's say you want to open port 999, and the current open ports are 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995 .
    • After adding port 999 to the IG_TCP_CPORTS list, it will look like this: 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 999 .
    • To get into insertion/typing mode in vim, press the i key on the keyboard.
  5. Just as you did with the incoming port, add any outbound TCP ports you'd like to open to the EG_TCP_CPORTS list.
  6. Follow these steps to save and exit the file:
    • Press the Esc key.
    • Type :wq! .
    • Press Enter .
  7. This restarts the APF firewall and opens the new ports.
    • To deny a port, re-open the file, delete the port, save the file, and then re-start the firewall.
  8. Advertisement

Expert Q&A

Ask a Question
      Advertisement

      Video

      Tips

      • If you see a port that you are not using or running services through, close it up! You don't want to leave an open door for intruders!
      • If you start adding random open ports like they are going out of style, YOU WILL GET HACKED! Only open ports when absolutely necessary.
      Submit a Tip
      All tip submissions are carefully reviewed before being published
      Name
      Please provide your name and last initial
      Thanks for submitting a tip for review!
      Advertisement

      About This Article

      Article Summary X

      1. Start UFW if it's not already running.
      2. Use "sudo ufw allow [port number]" to open a port.
      3. Use "sudo ufw allow 6000:6007/tcp" to open a range.
      4. Use "sudo ufw status numbered" to view the rules.

      Did this summary help you?
      Thanks to all authors for creating a page that has been read 2,044,352 times.

      Is this article up to date?

      Advertisement