CentOS 7 firewall-cmd

List active ports

firewall-cmd --list-ports

Get active zones

firewall-cmd --get-active-zones

Open a port

firewall-cmd --permanent --zone=public --add-port=80/tcp

Close a port

firewall-cmd --remove-port=

Enable the change

firewall-cmd --reload

Make sure the change is in effect

firewall-cmd --zone=public --query-port=80/tcp

Reject connections to a port

# Simply reject all traffic to 443
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port protocol="tcp" port="443" reject'

# add a src ip into the mix
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.0.0.2" port protocol="tcp" port="443" reject'

Forward traffic from a specific address to another port

firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.10.10.99 forward-port to-port=8080 protocol=tcp port=80'

another way to forward traffic without rich rules

Send traffic coming in on 514/udp to OTHER_IP:9004

firewall-cmd --new-zone=FORWARD_whatever --permanent
firewall-cmd --reload
firewall-cmd --zone=FORWARD_whatever --add-source=SOURCE_IP/32 --permanent
firewall-cmd --zone=FORWARD_whatever --permanent --add-forward-port=port=514:proto=udp:toaddr=OTHER_IP:toport=9004