General Information
firewall-cmd is the command line client for the firewalld daemon. It is default on Enterprise Linux 7.x. This is a zone based firewall.
Checklist
Install and start firewall packages (included by default on base, not minimum install)
yum install firewalld firewall-config systemctl start firewalld systemctl enable firewalld
firewall-cmd --state
systemctl status firewalld
systemctl is-active firewalld
systemctl is-enabled firewalld
View zone names
firewall-cmd --get-zones
View default zone
firewall-cmd --get-default-zone
View only active zones and what interfaces are assigned to them
firewall-cmd --get-active-zones
Change default zone that is used when no zone is specified
firewall-cmd --set-default-zone=home
An interface can only be bound to 1 zone at a time.
List interfaces that are bound to the default zone
firewall-cmd --list-interfaces
Bind an interface to the specified zone
firewall-cmd --add-interface=eth0 --zone=home
Change the zone that an interface is bound to the specified zone
firewall-cmd --change-interface=eth0 --zone=home
List all rules of the default zone (since no zone is specified)
firewall-cmd --list-all
List rules, specify zone
firewall-cmd --zone=home --list-all
List all zone's rules
firewall-cmd --list-all-zones
Allow source IP network for home zone (Runtime change)
firewall-cmd --zone=home --add-source=192.168.1.0/24
Allow source IP network for home zone (Permanent change)
firewall-cmd --zone=home --permanent --add-source=192.168.1.0/24 firewall-cmd --reload
Allow port on default zone
firewall-cmd --permanent --add-port=80/tcp firewall-cmd --reload
List predefined services
firewall-cmd --get-services
Add HTTPS service to default zone
firewall-cmd --add-service=https --permanent firewall-cmd --reload
Remove source IP network on “home” zone
firewall-cmd --zone=home --permanent --remove-source=192.168.1.0/24 firewall-cmd --reload
Remove port on default zone
firewall-cmd --permanent --remove-port=80/tcp firewall-cmd --reload
Remove a service on default zone
firewall-cmd --permanent --remove-service=https firewall-cmd --reload
Launch GUI, firewall-config
firewall-config
You can use iptables, but it is recommended to use firewall-cmd instead. Using iptables instead of firewall-cmd requires disabling firewalld, installing iptables-services, and then enabling the iptables service.