How to Open / Close Ports in your Firewall on Linux (iptables, firewalld, ufw)

The article below will cover how to open or close ports in Linux and will show the steps on how to do so in the 3 most common types, iptables, firewalld and ufw.

IPTables :

Opening ports in IPTables is a bit harder than Firewalld or UFW, but it is simple once you get the hang of it. Whenever you make any changes within IPTables, you'll want to save the changes and reload the firewall, or the changes will be lost next time the firewall is reloaded or restarted.

You can open ports based on services via the following command;
iptables -A INPUT -i ssh -j ACCEPT

This will open port 22 for SSH connections. Once you run the command, you'll want to save the changes via;
service iptables save

and then reload the service via;
service iptables reload

You can also open ports directly. For example, if we wanted to open port 80 for HTTP traffic we would run;
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

You can also limit the open ports based on IPs. This is useful for opening a port for SSH, but limiting the connection to your IP to prevent others from trying to login to the server. You can do this via;
iptables -A INPUT -p tcp -s YouIPAddress -m tcp --dport 22 -j ACCEPT

You would, of course, want to replace YourIPAddress with your local IP Address that you're connecting from.

You can also open all outbound ports via;

Or open outbound ports one at a time via;
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

Firewalld :

Opening ports via Firewalld is pretty straight forward, but it can be confusing at first. Most notably, you can open ports temporarily or permanently, and Firewalld must be reloaded after you've made any permanent modifications. By default, added rules will only modify the current firewall session. To make your rules permanent, you will need to add a --permanent flag to the end of the command.

For example, you can open the conventional HTTP ports via the following;
sudo firewall-cmd --zone=public --add-service=http

Once the firewall is restarted, those changes would be removed, unless you make them permanent. To do so, we would run the following instead;
sudo firewall-cmd --zone=public --add-service=http --permanent

Once the rule is added with the permanent flag, you'll want to restart the Firewall for the rule to take effect. You can do this by running the following;
sudo systemctl restart firewalld.service

You can also find a list of the other available services by running the following;
sudo firewall-cmd --get-services

You can find a list of services that you currently have allowed via;
sudo firewall-cmd --list-services

You can also show only the permanently allowed services via;
sudo firewall-cmd --zone=public --permanent --list-services

Opening and closing ports or port ranges can be done by switching out the --add-service= flag for the --add-port= flag. For example, if you wanted to open port 80 for HTTP traffic, you would do so via;
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent

You can then confirm the change by running;
sudo firewall-cmd --zone=public --permanent --list-ports

To whitelist IPs on Firewall-CMD, we'll want to use the --add-source flag. We can whitelist IPs or IP Subnets via the following;
firewall-cmd --permanent --zone=public --add-source=
firewall-cmd --permanent --zone=public --add-source=

We can also view all of the whitelisted IPs in our zone via;
firewall-cmd --permanent --zone=public --list-sources


When configuring UFW, you'll likely want to set some default rules, to Deny all incoming connections and to Allow all outgoing connections. Denying all incoming connections will prevent external connections from reaching your server. Allowing all outgoing connections will allow your server to reach external servers. Once the defaults are set, we can then customize the firewall and allow connections on certain ports to allow traffic to reach certain services, such as Apache or SSH.

To Deny incoming connections, you'll want to run the following command;
sudo ufw default deny incoming

To allow outgoing connections, run;
sudo ufw default allow outgoing

If you'd prefer to block all outgoing connections as well, you can do so, but you will have to setup rules for outgoing connections as well. To deny all outgoing connections, run;
sudo ufw default deny outgoing

You can open ports by specifying the port, a port range, or a service name. For example, you can open your SSH port by running the following command;
sudo ufw allow ssh

This would be the same as running;
sudo ufw allow 22/tcp

You can also use this command to open custom ports, such as a custom SSH Port by running;
sudo ufw allow 2222/tcp

This also works for other common services, such as FTP and Apache. To open ports for FTP, you'd want to run either;
sudo ufw allow ftp
sudo ufw allow 21/tcp

And for Apache you'd run;
sudo ufw allow www
sudo ufw allow 80/tcp

You can also open ports for UDP via the same method, but changing /tcp to /udp. So if we wanted to open port 5000 for UDP, we would use the following;
sudo ufw allow 5000/udp

You can also open port ranges quite easily. To open a port range for ports 5000-6000, you would want to run the following command;
sudo ufw allow 5000:6000/tcp

You can also Deny connections from Ports or Port Ranges by changing allow to deny, such as;
sudo ufw deny 5000/tcp

Lastly, you can Allow and Deny connections based on IPs via the following command;
sudo ufw allow from
sudo ufw deny from

Deleting rules can be a bit trickier. You have two methods for removing rules, with one being simpler, and the other being a bit more customizable. The first method would be as follows;
sudo ufw delete allow www

This would delete the Allow rule that we created for WWW, thus closing port 80. This can also be typed out as;
sudo ufw delete allow 80/tcp

The second method is a bit harder, but it allows you to see exactly which rules you have created, and you can delete those rules by number, rather than by retyping them. You would first want to run;
sudo ufw status numbered

This will make UFW list all of your rules in a numbered fashion. You can then use the command;
sudo ufw delete ###

where ### is the line number that you obtained from the previous command, to remove the rule on the line number provided.

If you ever need to Reset UFW, removing all of your rules, you can do so via the following command;
sudo ufw reset

Posted in
Last update:
2016-07-20 13:07
Average rating:0 (0 Votes)