Help Center/ Elastic Cloud Server/ Troubleshooting/ Firewall Configuration Issues/ How Do I Disable a Linux ECS Firewall and Add a Port Exception on a Linux ECS Firewall?
Updated on 2023-03-30 GMT+08:00

How Do I Disable a Linux ECS Firewall and Add a Port Exception on a Linux ECS Firewall?

Scenarios

This section describes how to disable a Linux ECS firewall and add a port exception on a Linux ECS firewall.

Enabling a firewall and configuring a security group protect your ECSs. If you disable a firewall, exercise caution when you enable ports in the security group.

Disabling a Firewall

Run the following command to disable the firewall based on the ECS OS:

  • CentOS 6

    service iptables stop

  • CentOS 7

    systemctl stop firewalld.service

  • Ubuntu

    ufw disable

  • Debian

    /etc/init.d/iptables stop

Adding a Port Exception on a Firewall

  • CentOS 6
    1. For example, to add TCP port 23, run the following command:

      iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT

    2. Save the configuration.

      service iptables save

    3. (Optional) Configure the firewall to automatically start upon ECS startup.
      chkconfig iptables on
      • To disable automatic firewall startup, run the following command:

        chkconfig iptables off

      • When the firewall is started on CentOS 6, the "iptables no config file" error may be displayed because the iptables configuration file is not detected. To handle this issue, perform the following operations:
        1. Add a new rule.

          iptables -P OUTPUT ACCEPT

        2. Save the configuration.

          service iptables save

        3. Start the firewall again.

          service iptables start

  • CentOS 7
    1. Check the firewall status.

      systemctl status firewalld

      or

      firewall-cmd --state

    2. If the firewall is disabled, run the following command to enable it:

      systemctl start firewalld

      If "Failed to start firewalld.service: Unit is masked." is displayed, run the systemctl unmask firewalld command first and then run the preceding command again to enable the firewall:

    3. Run the following command to check whether the firewall is enabled:

      firewall-cmd --state

      Information similar to the following is displayed:

      [root@ecs-centos7 ~]# firewall-cmd --state
      running
    4. For example, to add TCP port 23, run the following command:

      firewall-cmd --zone=public --add-port=23/tcp --permanent

      The configuration is correct if the command output is as follows:

      [root@ecs-centos7 ~]# firewall-cmd --zone=public --add-port=23/tcp --permanent
      success
    5. Reload the policy configuration for the new configuration to take effect.

      firewall-cmd --reload

    6. View all enabled ports.

      firewall-cmd --list-ports

      [root@ecs-centos7 ~]# firewall-cmd --list-ports
      23/tcp
    7. (Optional) Configure the firewall to automatically start upon ECS startup.

      systemctl enable firewalld.service

      Check whether automatic firewall startup is enabled.

      systemctl is-enabled firewalld.service;echo $?

      The configuration is correct if the command output is as follows:

      [root@ecs-centos7 ~]# systemctl is-enabled firewalld.service;echo $?
      enabled
      0

      To disable automatic firewall startup, run the following command:

      systemctl disable firewalld.service