How to allow or block the port and IP Address using Firewalld, IP tables, and UFW in Linux?

On Linux, the firewall is essential to control the incoming and outgoing network traffic. It is very easy to allow or block IP addresses and ports using the firewall. Here are the commands to allow or block IP addresses and ports using various firewalls.

Firewalld

Firewalld is a firewall management tool in Linux OS. It is configured with XML files. We can use the command-line interface of firewall-cmd to configure and manipulate firewall rules.

  1. Allow incoming traffic port 80. The below command will allow traffic for port 80.

    # sudo firewall-cmd --zone=public --add-port=80/tcp
  2. Allow incoming port 80 in the permanent firewall.

    # sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
  3. Deny outgoing port number 25. The below command will block all the outbound connection from port 25.

    # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp -d 127.0.0.1 --dport=25 -j ACCEPT
    # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=25 -j REJECT
    # firewall-cmd --reload
  4. Deny incoming port number 80. The below command will deny all the traffic for port 80.

    # sudo firewall-cmd --remove-port=80/tcp --permanent
  5. Run the below command to block an IP address in Firewalld. Replace 173.248.192.11 with your IP Address.

    # sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='173.248.192.11' reject"
  6. Open Port for the specific IP Address in Firewalld. Add the source IP address and the port (3306) you want to open on your Linux local server. After that, reload the firewalld settings to apply the changes.

    # firewall-cmd --zone=mariadb-access --add-source=173.248.192.11 --permanent
    # firewall-cmd --zone=mariadb-access --add-port=3306/tcp --permanent
    # firewall-cmd --reload

Iptables

Iptables use a set of tables that have chains that contain a set of built-in or user-defined rules. Using these rules, we can filter the network traffic on Linux machines.

  1. Run the below command to allow all incoming HTTP (port 80) connections.

    # sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    # sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    The second command allows the outgoing traffic of established HTTP connections, required if the outbound policy is not set to ACCEPT.

  2. Run the below command to allow multiple incoming ports. The below command will accept traffic from ports 22,53 and 80.

    # /sbin/iptables -A INPUT -p tcp --match multiport --dports 22,53,80 -j ACCEPT
  3. Deny incoming port 80 using IPtables. The below command will deny all the incoming connections for port 80.

    # /sbin/iptables -A OUTPUT -p tcp --dport 80 -j DROP
    # /sbin/service iptables save
  4. Block an IP address in IPtables. Replace 173.248.192.11 with your IP Address.

    # sudo iptables -A INPUT -s 173.248.192.11 -j DROP
  5. Open Port for Specific IP Address in IPtables. Allow Incoming SSH from a Specific IP address or subnet.

    # sudo iptables -A INPUT -p tcp -s 173.248.192.11 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    # sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

UFW - Uncomplicated Firewall

UFW is also known as Uncomplicated Firewall. It is suitable for host-based firewalls. It supports IPv4 and IPv6 both.

  1. Allow incoming port 80. The below command will allow all the traffic from port 80.

    # sudo ufw allow 80
  2. Allow multiple incoming ports. The below command will allow the incoming traffic from ports 53, 80, and 443.

    # sudo ufw allow 53,80,443
  3. Deny incoming port 80. The below command will deny all the incoming traffic for ports 80.

    # sudo ufw deny 22
  4. Deny outgoing port 25. The below command will deny all the outgoing traffic from port 25.

    # sudo ufw deny out 25
  5. Block an IP address in UFW. You can block any IP address for incoming traffic on your machine.

    # sudo ufw deny from 173.248.192.11
  6. Open Port for Specific IP Address in UFW. The below command will open port 80 for the mentioned IP address. You can replace it with your IP address.

    # sudo ufw allow from 173.248.192.11 to any port 80

Related Articles

How to verify Linux System Is 32-bit or 64-bit?

You will find 64-bit OS in most modern computers. It is always recommended to have a 64-bit OS...

How to flush DNS cache on linux?

DNS is responsible for resolving website names into their respective IPs. Whenever you visit a...

How to run ClamAV and Maldet together on cPanel server?

You may be familiar with ClamAV and Maldet scanner (aka Linux Malware Detect). They're widely...

How to Switch Web Server from Apache to LiteSpeed on WHM?

Apache and LiteSpeed both are the WebServers. Apache is older and popular compared to LiteSpeed....

How to install CentOS Web Panel on CentOS 7.x

This article will guide you on how to install CentOS Web Panel on CentOS 7.xCentOS web panel is...

  • 0 Users Found This Useful

Was this answer helpful?