How to Open Port for a Specific IP Address in Firewalld?

In today's interconnected world, network security is of utmost importance. One essential aspect of securing your network is managing the access to specific ports on your system. Firewalld, a dynamic firewall management tool, provides a flexible and user-friendly approach to firewall configuration in CentOS.

This guide will focus on a common scenario: opening a port for a specific IP address in Firewalld. By allowing access only to specific IP addresses, you can enhance the security of your system and restrict unauthorized access.

In this article, we will explore the step-by-step process of opening a port for a specific IP address in Firewalld. We will cover the basics of Firewalld zones and services, identify the specific IP address, and provide detailed instructions on how to open the desired port.

Understanding Firewalld Zones and Services

When it comes to managing network security using Firewalld, it's essential to grasp the concepts of zones and services. These components play a vital role in defining the behavior of your firewall and ensuring the appropriate level of protection.

• Firewalld Zones − Firewalld categorizes network interfaces and connections into different zones, each serving a specific purpose. These predefined zones, including public, internal, and trusted, determine the level of trust associated with a particular network segment. By assigning interfaces to the appropriate zones, you can control access and set different rules for each zone.

• Firewalld Services − Services in Firewalld represent specific applications or protocols associated with a port or a range of ports. They define the allowed network traffic and can be assigned to specific zones. By utilizing services, you can easily manage and apply consistent rules for common services across your firewall configuration.

Understanding the interplay between zones and services empowers you to create a tailored network security strategy using Firewalld. With this knowledge in hand, let's move forward to the next step: identifying the specific IP address for port opening.

Identifying the Specific IP Address

Before opening a port for a specific IP address in Firewalld, you need to identify the IP address you want to grant access to. Follow these steps to obtain the IP address −

• Check Network Configuration −

$ ip addr show

Look for the network interface associated with the desired IP address. Note down the IP address and interface name.

• Review Network Traffic −

$ sudo tcpdump -i <interface> host <desired_ip>

Replace <interface> with the network interface name from the previous step, and <desired_ip> with the desired IP address. Analyze the captured packets to identify the IP address.

• Inspect Logs or System Information −

$ cat /var/log/syslog | grep <desired_ip>

Search the system logs for entries related to the desired IP address. Alternatively, check relevant configuration files that may contain information about the IP addresses accessing your system.

By following these steps, you will be able to identify the specific IP address you want to open a port for in Firewalld. Once you have obtained the IP address, you can proceed to the next section, which covers the steps to open the port.

Opening a Port for a Specific IP Address in Firewalld

Now that you have identified the specific IP address you want to grant access to, you can proceed with opening a port for that IP address in Firewalld. Follow these steps to accomplish this −

• Verify Firewalld Status − Check if Firewalld is running on your system by executing the following command −

$ sudo systemctl status firewalld

Ensure that the service is active and running.

• Find the Zone − Determine the Firewalld zone associated with the network interface to which the port belongs. Run the following command to list the available zones −

$ sudo firewall-cmd --get-zones

Identify the appropriate zone for your network interface.

• Add a New Rule − Use the --zone option along with the zone name to add a new rule for the specific IP address and port. Execute the following command −

$ sudo firewall-cmd --zone=<zone_name> --add-source=<specific_ip>/32 --permanent

Replace <zone_name> with the appropriate zone name obtained in the previous step, and <specific_ip> with the identified IP address.

• Specify the Port − Add the port number to the rule using the --add-port option −

$ sudo firewall-cmd --zone=<zone_name> --add-port=<port_number>/tcp --permanent

Replace <zone_name> with the zone name and <port_number> with the desired port number.

• Reload Firewalld − Apply the changes by reloading Firewalld −

$ sudo firewall-cmd --reload

• Verify the Rule − To ensure that the port is now open for the specific IP address, run the following command −

$ sudo firewall-cmd --zone=<zone_name> --list-all

Verify that the IP address and port are listed in the output.

As of now, we have opened a port for a specific IP address in Firewalld. This allows the specified IP address to access the designated port on your system.

In the next section, we will explore how to remove the rule and close the port if needed.

Removing the Rule and Closing the Port

If you need to revoke access for the specific IP address or close the port in Firewalld, you can easily remove the rule. Follow these steps to accomplish this −

• Identify the Rule −  Before removing the rule, it's essential to identify the rule number associated with the specific IP address and port. Execute the following command to list the rules:

$ sudo firewall-cmd --zone=<zone_name> --list-all

Locate the rule that includes the specific IP address and port you want to remove. Note the rule number.

• Remove the Rule − Use the --remove-rich-rule option along with the rule number to remove the rule:

$ sudo firewall-cmd --zone=<zone_name> --remove-rich-rule='rule family="ipv4" source address="<specific_ip>/32" port port="<port_number>" protocol="tcp" accept' --permanent

Replace <zone_name> with the appropriate zone name, <specific_ip> with the IP address, and <port_number> with the port number. Use the rule number you noted in the previous step.

• Reload Firewalld − Apply the changes by reloading Firewalld:

$ sudo firewall-cmd --reload

Once you have completed these steps, the rule allowing access for the specific IP address to the designated port will be removed, effectively closing the port.

Conclusion

Managing network security is crucial for any system, and Firewalld provides a robust solution for controlling incoming connections. In this blog post, we discussed how to open a specific port for a particular IP address in Firewalld. We covered the necessary steps, including identifying the zone, adding a rich rule, and verifying the configuration. By following these guidelines, you can ensure that only authorized IP addresses have access to specific ports, enhancing the security of your system.