Linux服务器 Linux Firewall Method to Open Ports UFW firewalld Beginner's Guide 2025-12-08 86 views

On Linux servers, we often need to run various services such as web servers (port 80), SSH remote connections (port 22), etc. For these services to provide external access, the corresponding ports must be opened in the server’s firewall. This article introduces several common methods to open ports for Linux beginners, with simple and easy-to-understand content suitable for quick mastery.

1. Why Open Ports?

For example: If your server has a web server (e.g., Nginx, Apache) installed, it typically provides web services through port 80 by default. However, if the 80 port is not open in the firewall, external users will receive a “connection refused” error, and the service will not function properly. Thus, opening ports is a necessary step for services to communicate externally.

2. Common Linux Firewall Tools

Different Linux distributions (e.g., Ubuntu, CentOS) use different default firewall tools. Below are the three most common tools, ranked by beginner-friendliness:

1. UFW (Uncomplicated Firewall)

Applicable Systems: Ubuntu, Debian, and other Debian-based distributions
Features: Extremely simple to operate, like a “switch” for ease of use, ideal for pure beginners.

Step 1: Check UFW Status

If UFW is not installed, install it first: 

sudo apt update && sudo apt install ufw  # For Ubuntu/Debian only

Check if UFW is running (default is “Status: inactive” if not enabled): 

sudo ufw status
Step 2: Open Ports

To open port 22 (SSH) and 80 (web service) as examples: 

# Open port 22 (TCP for SSH)
sudo ufw allow 22/tcp  

# Open port 80 (TCP for HTTP)
sudo ufw allow 80/tcp

For UDP ports (e.g., DNS port 53), use udp: 

sudo ufw allow 53/udp
Step 3: Enable UFW

After opening ports, enable UFW for changes to take effect: 

sudo ufw enable

(You will be prompted to confirm; enter y and press Enter.)

Step 4: Verify Open Ports

Check the list of open ports: 

sudo ufw status

Sample output: 

Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere

2. firewalld (for CentOS/RHEL/Fedora)

Applicable Systems: CentOS 7+, RHEL, Fedora
Features: Dynamic firewall management with “zone” concepts, enabling flexible control of rules across different network environments.

Step 1: Check firewalld Status

CentOS/RHEL typically preinstall firewalld. Check its status directly: 

sudo systemctl status firewalld

(If it shows “active (running)”, it is enabled.)

Step 2: Open Ports

firewalld uses the public zone (for public networks) by default. Open ports by specifying the zone and protocol: 

# Open port 22 (TCP)
sudo firewall-cmd --permanent --zone=public --add-port=22/tcp  

# Open port 80 (TCP)
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp

Parameters:
- --permanent: Rules persist across reboots;
- --zone=public: Apply rules to the “public” zone;
- --add-port=22/tcp: Add TCP port 22.

Step 3: Reload Rules

After adding rules, reload firewalld to apply changes: 

sudo firewall-cmd --reload
Step 4: Verify Open Ports

Check open ports: 

sudo firewall-cmd --list-ports

Sample output: 

22/tcp 80/tcp

3. iptables (General Underlying Tool)

Applicable Systems: Almost all Linux distributions
Features: Powerful but with slightly complex syntax; serves as the foundational firewall tool, suitable for advanced users.

Step 1: Open Ports

To open port 22 (TCP): 

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Parameters:
- -A INPUT: Append the rule to the INPUT chain (handles packets entering the server);
- -p tcp: Specify TCP protocol;
- --dport 22: Target port 22;
- -j ACCEPT: Allow the packet to pass.

Step 2: Save Rules (Avoid Loss After Reboot)

iptables rules are not persistent by default. Save them manually:
- For CentOS/RHEL: 

  sudo service iptables save
  • For Ubuntu/Debian: 
  sudo iptables-save > /etc/iptables/rules.v4
Step 3: Verify Open Ports

Check rules in the INPUT chain: 

sudo iptables -L INPUT --line-numbers

3. How to Verify Port Open Status?

After opening ports, confirm effectiveness with these methods:

  1. telnet Test (requires telnet client): 
   telnet localhost 22  # Test SSH port 22

If it shows Connected to localhost., the port is open.

  1. nc (netcat) Test: 
   nc -zv localhost 80  # Test web port 80

If it shows Connection to localhost 80 port [tcp/http] succeeded!, the port is open.

  1. curl Test (for web services): 
   curl http://localhost  # If web page content is returned, port 80 is open

4. New User Notes

  1. Prioritize UFW/firewalld: Beginners should start with UFW (simple) or firewalld (flexible); iptables is for advanced needs.
  2. Avoid High-Risk Ports: Restrict SSH (22) to specific IPs or use key-based authentication instead of opening it publicly.
  3. Ensure Persistent Rules: Use --permanent for UFW/firewalld to retain rules after reboots; manually save iptables rules.
  4. Disable Firewall Only Temporarily: Never disable firewalls in production; only do so temporarily in test environments (sudo ufw disable or systemctl stop firewalld).
  5. Verify Service Status: After opening ports, confirm the service itself is running (e.g., systemctl start sshd).

Summary

The core of opening Linux server ports is adding rules via firewall tools (UFW/firewalld/iptables). Beginners are advised to start with UFW or firewalld for simplicity and sufficient daily needs. Always verify port status after opening to ensure services function properly.

Related Articles

Introduction to Server Security: Fundamentals of Linux Firewalls 2025-12-08 Essential for Beginners: 5 Basic Linux Server Commands 2025-12-08 Zero to Hero: A Guide to Installing Linux on a Server 2025-12-08 Understanding Linux SSH Service: A Complete Guide to Configuration and Usage 2025-12-08 Setting up Apache on Linux Servers: Quick Deployment of Websites 2025-12-08
Xiaoye