🖧 How to open port for specific IP address in Firewalld

How do I allow traffic from a specific IP address on my private network, or allow traffic from a specific private network through firewalld to a specific port or service on a Red Hat Enterprise Linux (RHEL) or CentOS server?

In this short article, you will learn how to open a port for a specific IP address or network range on a RHEL or CentOS server running firewalld.

The most suitable way to solve this problem is to use the zone firewalld

So, you need to create a new zone where the new configurations will be stored (or you can use any of the available default safe zones).

Open port for specific IP address in Firewalld

First, create an appropriate zone name (in our case, we used mariadb-access to allow access to the MySQL database server).

# firewall-cmd --new-zone=mariadb_access --permanent

Then reload firewalld settings to apply the new change. If you skip this step, you may receive an error when you try to use the new zone name. This time, the new zone should appear in the zone list as shown in the following screenshot.

# firewall-cmd --reload
# firewall-cmd --get-zones

Then add the source IP (10.24.96.5/20) and port (3306) that you want to open on your local server as shown below. Then reload the firewalld settings to apply the new changes.

# firewall-cmd --zone=mariadb-access --add-source=10.24.96.5/20 --permanent
# firewall-cmd --zone=mariadb-access --add-port=3306/tcp  --permanent
# firewall-cmd --reload

Alternatively, you can allow traffic from the entire network (10.24.96.0/20) to a specific service or port.

# firewall-cmd --zone=mariadb-access --add-source=10.24.96.0/20 --permanent
# firewall-cmd --zone=mariadb-access --add-port=3306/tcp --permanent
# firewall-cmd --reload

To ensure that the new zone has the required settings as added above, check its details with the following command.

# firewall-cmd --zone=mariadb-access --list-all

How to remove port and zone from Firewalld

You can remove the original IP or network as shown below:

# firewall-cmd --zone=mariadb-access --remove-source=10.24.96.5/20 --permanent
# firewall-cmd --reload

To remove the port from the zone, run the following command and reload the firewalld settings:

# firewall-cmd --zone=mariadb-access --remove-port=3306/tcp --permanent
# firewall-cmd --reload

To remove a zone, run the following command and reload firewalld settings:

# firewall-cmd --permanent --delete-zone=mariadb_access
# firewall-cmd --reload

Last but not least, you can also use firewalld rich rules. Here’s an example:

# firewall-cmd --permanent –zone=mariadb-access --add-rich-rule="rule family="ipv4" source address="10.24.96.5/20" port protocol="tcp" port="3306" accept"

Sidebar