How do I open a port in my Linode's firewall?

Linode Staff

I'm looking to open a specific port in my Linode's firewall. How do I go about doing this?

2 Replies

There are a number of ways you can go about opening a port in your Linode's firewall. I'll outline the most common below:

1. Using iptables

If your distribution uses iptables, then you can create a basic firewall which drops incoming traffic, and allows outgoing traffic by using the following commands:

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT

You can then open a specific port by running this command, replacing $PROTOCOL with either tcp or udp, and $PORT with the port number you wish to open:

iptables -I INPUT -p $PROTOCOL --dport $PORT -J ACCEPT

To allow connections only from a specific IP address, you can use the following command, replacing $IPADDRESS with the IP address from which you wish to allow connections:

iptables -I INPUT -p $PROTOCOL --dport $PORT --s $IPADDRESS -J ACCEPT

iptables will work with Debian-based Linux distributions, including Ubuntu, as well as older versions of CentOS (pre-version 7). You can find our guide on using iptables here.

To ensure that rules configured using iptables will persist through a reboot, you can run the following command:

apt-get install iptables-persistent

This will install the iptables-persistent package, and trigger a graphical menu that will guide you through the rest of the process.

2. Using UFW (an iptables frontend)

UFW, or the "Uncomplicated FireWall", is pretty straightforward, but limited to distributions which use iptables for their firewall rules. Most commonly, this is used with Debian and Ubuntu distributions, although there are others which support it as well. In order to install UFW on Debian/Ubuntu systems, you can use the following command:

apt-get install ufw

You can then set it to allow outgoing traffic and reject incoming traffic by default with the following commands:

ufw default allow outgoing
ufw default allow outgoing

You will need to then enable the firewall:

ufw enable

You can then open specific ports using the following command (remember to replace $PORT with the port number you wish to open, and $PROTOCOL with either tcp or udp:

ufw allow $PORT/$PROTOCOL

If you wish to open the same port for TCP and UDP, you can just leave out the /$PROTOCOL part:

ufw allow $PORT

You can find our guide on using UFW here

3. Using FirewallD (CentOS 7+/RHEL 7+)

FirewallD, which is specific to distributions based on RedHat Enterprise Linux (RHEL) 7+, is a powerful tool which can be used to configure a firewall using simple commands. It is configured using the firewall-cmd command. To allow outgoing traffic and reject incoming traffic by default, you can use the following command:

firewall-cmd --set-default-zone=drop

You can then open individual ports using commands like the following (remembering to replace $PORT with the port number you wish to open, and $PROTOCOL with either tcp or udp:

firewall-cmd --permanent --add-port $PORT/$PROTOCOL

The --permanent flag is very important, as your rules will be lost during a reboot without it.

There are a lot more options that can be configured using FirewallD, so I've included our guide here.

Taking things a bit further (scripting your firewall):

I personally prefer to script this process, and use it on every new Linode I create. To that end, I recommend checking out the new firewall-related functions in our Bash StackScript Library, which check to see if you're using Debian/Ubuntu, or a RedHat based distribution, and then configure and save the firewall based on the ports/protocols you specify. There is also a function in there which allows outgoing and SSH-related connections, while rejecting incoming and forwarded connections by default. A basic example script for configuring your firewall can be found below:

#!/usr/bin/env bash

# Import the Bash StackScript Library
source <ssinclude StackScriptID=1>

# Enable basic rules, such as allowing access over port 22 (SSH) and ICMP response
configure_basic_firewall

# Define the ports to be opened for both IPv4 and IPv6
ipv4_ports=(80 443)
ipv6_ports=(80 443)

for port in "${ipv4_ports[@]}"; do
    add_port 'ipv4' $port 'tcp'
done

for port in "${ipv6_ports[@]}"; do
    add_port  'ipv6' $port 'tcp'
done

save_firewall

Keep in mind these functions are basic, and do not account for any advanced rules you may wish to create. They will simply open the specified port, on the specified protocol/IP standard. It's also worth noting that I the Library does not yet support IPv6 when using FirewallD, but everything else works correctly.

If you wish to modify these functions for more advanced configurations, you can save it to a local script, and check out this post for instructions on how to convert a StackScript into a normal Bash script, and import your modified version of the function into your script.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct