Help Center/ Elastic Cloud Server/ Troubleshooting/ Firewall Configuration Issues/ How Do I Enable or Disable a Linux ECS Firewall and Add a Port Exception on a Linux ECS Firewall?
Updated on 2025-07-30 GMT+08:00

How Do I Enable or Disable a Linux ECS Firewall and Add a Port Exception on a Linux ECS Firewall?

Scenarios

This section describes how to enable or disable a Linux ECS firewall and add a port exception on a Linux ECS firewall.

Enabling a firewall and configuring security groups can protect your ECSs. If you disable a firewall or add port exceptions, exercise caution when you open ports in security groups.

Enabling or Disabling a Firewall

Run the corresponding command to enable or disable the firewall based on the ECS OS.

OS

Enable

Disable

CentOS 6

service iptables start

service iptables stop

CentOS 7

systemctl start firewalld.service

systemctl stop firewalld.service

Ubuntu

ufw enable

ufw disable

Debian

/etc/init.d/iptables start

/etc/init.d/iptables stop

Adding a Port Exception to a Firewall

  • CentOS 6
    1. For example, to add TCP port 23, run the following command:

      iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT

    2. Save the configuration.

      service iptables save

    3. (Optional) Configure the firewall to automatically start upon ECS startup.
      chkconfig iptables on
      • To disable automatic firewall startup, run the following command:

        chkconfig iptables off

      • When the firewall is started on CentOS 6, the "iptables no config file" error may be displayed because the iptables configuration file is not detected. To handle this issue, perform the following operations:
        1. Add a new rule.

          iptables -P OUTPUT ACCEPT

        2. Save the configuration.

          service iptables save

        3. Start the firewall again.

          service iptables start

  • CentOS 7
    1. Check the firewall status.

      systemctl status firewalld

      or

      firewall-cmd --state

    2. If the firewall is disabled, run the following command to enable it:

      systemctl start firewalld

      If "Failed to start firewalld.service: Unit is masked." is displayed, run the systemctl unmask firewalld command first and then run the preceding command again to enable the firewall.

    3. Run the following command to check whether the firewall is enabled:

      firewall-cmd --state

      Information similar to the following is displayed:

      [root@ecs-centos7 ~]# firewall-cmd --state
      running
    4. For example, to add TCP port 23, run the following command:

      firewall-cmd --zone=public --add-port=23/tcp --permanent

      The configuration is correct if the command output is as follows:

      [root@ecs-centos7 ~]# firewall-cmd --zone=public --add-port=23/tcp --permanent
      success
    5. Reload the policy configuration for the new configuration to take effect.

      firewall-cmd --reload

    6. Check all enabled ports.

      firewall-cmd --list-ports

      [root@ecs-centos7 ~]# firewall-cmd --list-ports
      23/tcp
    7. (Optional) Configure the firewall to automatically start upon ECS startup.

      systemctl enable firewalld.service

      Check whether automatic firewall startup is enabled.

      systemctl is-enabled firewalld.service;echo $?

      The configuration is correct if the command output is as follows:

      [root@ecs-centos7 ~]# systemctl is-enabled firewalld.service;echo $?
      enabled
      0

      To disable automatic firewall startup, run the following command:

      systemctl disable firewalld.service