In rhel 7 the command to manage the firewall is firewall-cmd.
iptables is still there but with the zoning concept the output from iptables -L is rather hard to read.
Get the active zone
<![CDATA[
firewall-cmd --get-active-zones
]]>
By default the active zone should be "public"
View the rules for the public zone
<![CDATA[
firewall-cmd --zone=public --list-all
]]>
To permanently remove a service. example dhcpv6-client
<![CDATA[
firewall-cmd --zone=drop --permanent --remove-service=dhcpv6-client
]]>
Note: when we use permanent the firewall needs to be reloaded before it is applied.
without permanent it takes effect immediately
or port
<![CDATA[
firewall-cmd --zone=drop --remove-port=8080/tcp --permanent
]]>
To permanently add a services. example dns
<![CDATA[
firewall-cmd --zone=drop --permanent --add-service=dns
]]>
or port
<![CDATA[
firewall-cmd --zone=drop --add-port=8080/tcp --permanent
]]>
open port for a specific host
<![CDATA[
firewall-cmd --permanent --zone=drop --add-rich-rule='rule family="ipv4" source address="10.81.226.26/32" port protocol="tcp" port="8080" accept'
]]>
remove
<![CDATA[
firewall-cmd --permanent --zone=drop --remove-rich-rule='rule family="ipv4" source address="10.80.114.112/32" port port="9200" protocol="tcp" accept'
]]>
To reload the firewall
<![CDATA[
firewall-cmd --reload
]]>
Get status of the firewall
<![CDATA[
firewall-cmd --state
]]>
Start/Stop the firewall
<![CDATA[
systemctl start|stop firewalld
]]>
Open a range of ports
<![CDATA[
firewall-cmd --zone=drop --permanent --add-port=50001-50100/tcp
]]>
Open all to one host
<![CDATA[
firewall-cmd --permanent --zone=drop --add-rich-rule='rule family="ipv4" source address="10.80.114.111" accept'
]]>
Allow all within 255.255.0.0 netwask
<![CDATA[
firewall-cmd --permanent --zone=drop --add-rich-rule='rule family="ipv4" source address="10.80.0.0/16" port protocol="tcp" port="8080" accept'
]]>