firewall-cmd

Our web server is listening on all interfaces (the default) and we're going to allow connections to it through eth1.

We know that eth1 is in the default (public) zone, thanks to the previous section:

$ sudo firewall-cmd --zone public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

This means that we have to add another port allowance to our zone, enabling connections to 8000/tcp.

In the following code, we're adding to our firewall configuration, but we're not modifying the running config—we're adding the permanent option so that the rule is loaded on a firewall reload:

$ sudo firewall-cmd --permanent --zone=public --add-port 8000/tcp

Now, we need to run the command again, without the permanent option. So that our running configuration is modified:

$ sudo firewall-cmd --zone=public --add-port 8000/tcp

Running the --list-all option will now show your added port:

$ sudo firewall-cmd --zone public --list-all 
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh dhcpv6-client
  ports: 8000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

You should be able to curl centos1 on 8000/tcp from centos2:

$ curl 192.168.33.10:8000
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
<title>Directory listing for /</title>
<body>
<h2>Directory listing for /</h2>
<hr>
<ul>
<li><a href=".bash_history">.bash_history</a>
<li><a href=".bash_logout">.bash_logout</a>
<li><a href=".bash_profile">.bash_profile</a>
<li><a href=".bashrc">.bashrc</a>
<li><a href=".ssh/">.ssh/</a>
</ul>
<hr>
</body>
</html>

To reverse this addition, you would swap the add-port for a remove-port, like so:

$ sudo firewall-cmd --zone=public --remove-port 8000/tcp
success