How to Allow or Block the Port and IP Address using Firewalld, IP Tables, and UFW in Linux?

The firewall plays a crucial role in managing incoming and outgoing network traffic on Linux systems. To control access and secure your system, you can employ different methods and commands to allow or block specific IP addresses and ports using various firewalls. Here is a compilation of these methods:

Firewalld

Firewalld is a firewall management tool in Linux OS that is configured with XML files. We can use the command-line interface of firewall-cmd to configure and manipulate firewall rules.

1. Allow incoming traffic to port 80 by using the command below –

# sudo firewall-cmd --zone=public --add-port=80/tcp

2. Allow incoming port 80 in the permanent firewall.

# sudo firewall-cmd --zone=public --permanent --add-port=80/tcp

3. Deny outgoing port number 25.
    The below-given command will block all the outbound connections from port 25.

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp -d 127.0.0.1 --dport=25 -j ACCEPT

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=25 -j REJECT

# firewall-cmd --reload

4. Deny incoming port number 80.
    The command below will deny all the traffic for port 80.

# sudo firewall-cmd --remove-port=80/tcp --permanent

5. Run the below-execute command to block an IP Address in Firewalld.
    Replace 192.168.2.152 with your IP Address.

# sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.2.152' reject"

6. Open the port for the specific IP Address in Firewalld and add the source IP Address and the port (3306) you want to open on your Linux local server. After that, reload the Firewalld settings to apply the changes. 

# firewall-cmd --zone=mariadb-access --add-source=192.168.2.152 --permanent

# firewall-cmd --zone=mariadb-access --add-port=3306/tcp  --permanent

# firewall-cmd --reload


IPtables

IPtables use a set of tables with chains containing a set of built-in or user-defined rules. Using these rules, we can filter the network traffic on Linux machines.

1. Run the below-given command to allow all incoming HTTP (port 80) connections. 

# sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT

The second command allows the outgoing traffic of established HTTP connections; it is required if the outbound policy is not set to ACCEPT.

2. Run the command given below to allow multiple incoming ports.
    The command given below will accept traffic from ports 22, 53, and 80.

# /sbin/iptables -A INPUT -p tcp --match multiport --dports 22,53,80 -j ACCEPT

3. Deny incoming port 80 using IPtables.
    The below command will deny all the incoming connections for port 80.

# /sbin/iptables -A OUTPUT -p tcp --dport 80 -j DROP

# /sbin/service iptables save

4. Block an IP Address in IPtables.
    Replace 192.168.2.152 with your IP Address. 

# sudo iptables -A INPUT -s 192.168.2.152 -j DROP

5. Open port for specific IP Address in IPtables.
    Allow Incoming SSH from a specific IP Address or subnet.

# sudo iptables -A INPUT -p tcp -s 192.168.2.152 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

 

UFW – Uncomplicated Firewall

An uncomplicated Firewall (UFW) is suitable for host-based firewalls; it supports IPv4 and IPv6.

1. Allow incoming port 80.
The below-given command will allow all the traffic from port 80. 

# sudo ufw allow 80

2. Allow multiple incoming ports.
    The below command will allow the incoming traffic from ports 53, 80, and 443.

# sudo ufw allow 53,80,443

3. Deny incoming port 80.
    The below-given command will deny all the incoming traffic for port 80.

# sudo ufw deny 22

4. Deny outgoing port 25.
    The command below will deny all the outgoing traffic from port 25.

# sudo ufw deny out 25

5. Block an IP Address in UFW.
    You can block any IP Address for incoming traffic on your machine.

# sudo ufw deny from 192.168.2.152

6. Open port for specific IP Address in UFW.
The below-given command will open port 80 for the mentioned IP address. But, of course, you can also replace it with your IP Address.

# sudo ufw allow from 192.168.2.152 to any port 80

That's all.



Was this answer helpful?

« Back

chat

/* */