Configuring Firewalld on CentOS to Restrict Access to Specific Ports and IP Addresses

Firewalld is the default dynamic firewall management tool on CentOS, acting as a front‑end for the Linux netfilter subsystem and offering a simplified, user‑friendly way to configure firewall rules.

Key features include:

Zones that represent different network environments (public, private, trusted, work, home) each with its own rule set.

Separate runtime and permanent configurations; runtime changes disappear after a reboot while permanent changes persist.

Service and port definitions that allow or deny traffic for specific services or ports.

Dynamic rule updates without reloading the entire firewall.

Connection tracking to automatically allow reply traffic for established connections.

A D‑Bus API for programmatic interaction.

The article demonstrates how to restrict access to an Nginx server listening on port 8088 so that only the operations server with IP 192.168.2.100 can connect, while all other ports remain unrestricted.

Typical steps include:

1. Verify that the firewalld service is running and enable it at boot:

systemctl status firewalld

systemctl start firewalld

systemctl is-enabled firewalld

systemctl enable firewalld

2. Create a new service called nginxserver and add port 8088/tcp to it:

firewall-cmd --permanent --new-service=nginxserver --set-description="nginx Service"

firewall-cmd --permanent --service=nginxserver --add-port=8088/tcp

3. Define a new zone named opsserver , add the allowed source IP, and attach the nginxserver service to the zone:

firewall-cmd --permanent --new-zone=opsserver --set-description="Ops Server Zone"

firewall-cmd --permanent --zone=opsserver --add-source=192.168.2.100

firewall-cmd --permanent --zone=opsserver --add-service=nginxserver

4. Reload the firewall to apply changes:

firewall-cmd --reload

5. Optionally set the default zone to drop to block all other traffic:

firewall-cmd --set-default-zone=drop

firewall-cmd --reload

Additional commands are provided to list services, zones, and rules, as well as to delete or modify existing configurations. The article also notes the importance of using --permanent for persistent rules and the need for sufficient privileges (e.g., sudo) when executing these commands.