How To Configure Firewall on CentOS 7

Configure Firewall on CentOS 7

In this tutorial, we will show you how to configure a Firewall on CentOS 7. For those of you who didn’t know, FirewallD is a complete firewall solution that manages the system’s iptables rules and provides a D-Bus interface for operating on them. Starting with CentOS 7, FirewallD replaces iptables as the default firewall management tool.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step, configure Firewall on CentOS 7.


  • A server running one of the following operating systems: CentOS 7.
  • It’s recommended that you use a fresh OS install to prevent any potential issues.
  • SSH access to the server (or just open Terminal if you’re on a desktop).
  • A non-root sudo user or access to the root user. We recommend acting as a non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.

Configure Firewall on CentOS 7

Step 1. First, let’s start by ensuring your system is up-to-date.

yum clean all
yum -y update

Step 2. Installing FirewallD on CentOS 7.

Firewalld is installed by default on CentOS 7, but if it is not installed on your system, you can execute the following command for its installation:

sudo yum install firewalld

After you install FirewallD, you can enable the service and reboot your server. Keep in mind that enabling FirewallD will cause the service to start up at boot:

sudo systemctl start firewalld
sudo systemctl enable firewal
sudo reboot

We can verify that the service is running and reachable by typing:

sudo firewall-cmd --state

Step 3. Setup and configuration of FirewallD on CentOS 7.

FirewallD uses services and zones instead of iptables rules and chains. By default the following zones are available:

  • drop – Drop all incoming network packets with no reply, only outgoing network connections are available.
  • block – Reject all incoming network packets with an ICMP-host-prohibited message, Only outgoing network connections are available.
  • public – Only selected incoming connections are accepted, for use in public areas
  • external For external networks with masquerading are enabled, only selected incoming connections are accepted.
  • DMZ – DMZ demilitarized zone, publicly-accessible with limited access to the internal network, only selected incoming connections are accepted.
  • work – For computers in your home area, only selected incoming connections are accepted.
  • home – For computers in your home area, only selected incoming connections are accepted.
  • internal -For computers in your internal network, only selected incoming connections are accepted.
  • trusted – All network connections are accepted.

To list all available zones run:

firewall-cmd --get-zones
work drop internal external trusted home dmz public block

To list the default zone:

firewall-cmd --get-default-zone

To change the default zone:

firewall-cmd --set-default-zone=dmz
firewall-cmd --get-default-zone

For example, here is how you can configure your VPS firewall with FirewallD if you were running a web server, SSH on port 8888, or mail server.

First, we will set the default zone to DMZ.

firewall-cmd --set-default-zone=dmz

To add permanent service rules for HTTP and HTTPS to the DMZ zone, run:

firewall-cmd --zone=dmz --add-service=http --permanent
firewall-cmd --zone=dmz --add-service=https --permanent

Since the SSH port is changed to 7022, we will remove the ssh service (port 22) and open port 8888

firewall-cmd --remove-service=ssh --permanent 
firewall-cmd --add-port=8888/tcp --permanent 

To implement the changes we need to reload the firewall with:

firewall-cmd --reload

Finally, you can list the rules with:

### firewall-cmd --list-all
 target: default
 icmp-block-inversion: no
 services: http https imap imaps pop3 pop3s smtp smtps
 ports: 7022/tcp
 masquerade: no
 rich rules:

Step 4. Disable Firewall on CentOS 7.

You can temporarily stop the FirewallD service with the following command:

sudo systemctl stop firewalld

To permanently disable the firewall on your CentOS 7 system, follow the steps below:

sudo systemctl disable firewalld


Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

Congratulations! You have successfully configured Firewall. Thanks for using this tutorial for installing FirewallD on CentOS 7 system. For additional help or useful information, we recommend you check the official FirewallD website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!


r00t is a seasoned Linux system administrator with a wealth of experience in the field. Known for his contributions to idroot.us, r00t has authored numerous tutorials and guides, helping users navigate the complexities of Linux systems. His expertise spans across various Linux distributions, including Ubuntu, CentOS, and Debian. r00t's work is characterized by his ability to simplify complex concepts, making Linux more accessible to users of all skill levels. His dedication to the Linux community and his commitment to sharing knowledge makes him a respected figure in the field.
Back to top button