Enable or disable the system firewall on a Linux ECS instance - Elastic Compute Service

Firewall technology helps computers build a relatively isolated protective barrier between internal and external networks to protect data. If you enable a firewall for an Elastic Compute Service (ECS) instance and configure firewall rules to block external access, you may be unable to connect to the instance. This topic describes how to enable or disable the system firewall on a Linux ECS instance.

Procedure

Run commands that are suitable for the Linux distribution of the ECS instance.

Important

To prevent unexpected risks, we recommend that you perform the operations as ecs-user or a regular user, instead of an administrative user. If the regular user does not have sudo permissions, grant the permissions to the user. For more information, see Question 2: How do I grant sudo permissions to a regular user?

CentOS 7, CentOS Stream 8, Red Hat 7, Red Hat 8, Alibaba Cloud Linux 2, or Alibaba Cloud Linux 3

Check the status of the system firewall
By default, the system firewall is disabled. Run the following command to check the status of the system firewall:
```
sudo firewall-cmd --state
```
Note
- If the system firewall is disabled, not running appears in the command output.
- If the system firewall is enabled, running appears in the command output.
- If the system firewall is not installed, the -bash: firewall-cmd: command not found error message appears in the command output. In this case, run the sudo yum install firewalld -y command to install the system firewall.
Enable the system firewall
```
sudo systemctl start firewalld
```
Take note that you can run the following command to configure the system firewall to start on system startup:
```
sudo systemctl enable firewalld
```
Disable the system firewall
```
sudo systemctl stop firewalld
```
Take note that you can run the following command to configure the system firewall not to start on system startup:
```
sudo systemctl disable firewalld
```

Ubuntu

Check the status of the system firewall
By default, the system firewall is disabled. Run the following command to check the status of the system firewall:
```
sudo ufw status
```
Note
If the system firewall is disabled, Status: inactive appears in the command output.
If the firewall is enabled, Status: active appears in the command output.
Enable the system firewall
Run the following command to enable the system firewall. The system firewall is automatically enabled when the Linux instance is restarted.
```
sudo ufw enable
```
Disable the system firewall
Run the following command to disable the system firewall. The system firewall remains disabled when the Linux instance is restarted.
```
sudo ufw disable
```

Debian

By default, no firewall is installed on Debian. If a firewall is installed on Debian, you can delete all firewall rules to remove traffic blocking. Before you delete all firewall rules, back up the rules. You can restore firewall rules from the firewall rule backup file.

View firewall rules
```
sudo iptables -L
```
Disable the system firewall by deleting all firewall rules
You can disable the system firewall by deleting all firewall rules.
Note
Replace the [$Iptables] variable with the actual directory in which you want to store a firewall rule backup file.
1. Run the following command to create a backup file:
```
sudo touch [$Iptables]
```
2. Run the following command to back up firewall rules:
```
sudo sh -c "iptables-save > [$Iptables]"
```
3. Run the following command to delete all firewall rules:
```
sudo iptables -F
```
Enable the system firewall by restoring firewall rules from the backup file
You can enable the system firewall by restoring firewall rules or adding firewall rules.
Note
Replace the [$Iptables] variable with the actual directory in which the firewall rule backup file is stored.
```
sudo iptables-restore < [$Iptables]
```

FAQs

How do I grant sudo permissions to a regular user?

CentOS 7, CentOS Stream 8, Red Hat 7, Red Hat 8, Alibaba Cloud Linux 2, or Alibaba Cloud Linux 3

Connect to the Linux instance as the root user.
For more information, see Use Workbench to connect to a Linux instance over SSH.
Run the following commands to create a regular user named test and set a password:
```
useradd test
passwd test
```
Run the following command to grant permissions to the /etc/sudoers file:
```
chmod 750 /etc/sudoers
```
Run the following command to edit the /etc/sudoers file:
```
vim /etc/sudoers
```
Press the I key to enter Insert mode and add the following configuration:
```
test ALL=(ALL)  NOPASSWD: ALL
```
Press the Esc key, type :wq, and press the Enter key to save and close the file.
Run the following command to switch to the test user:
```
su - test
```
Run the following command to verify the sudo permissions:
```
sudo cat /etc/shadow
```
If the file's content is displayed, the sudo permissions have been granted successfully.

Ubuntu or Debian

Connect to the Linux instance as the root user.
For more information, see Use Workbench to connect to a Linux instance over SSH.
Run the following command to create a regular user named test and assign a password:
```
sudo adduser test
```
Run the following command to grant the user sudo permissions:
```
sudo usermod -aG sudo test
```
Run the following command to switch to the test user:
```
sudo su - test
```
Run the following command to verify the sudo permissions:
```
sudo cat /etc/shadow
```
If the file's content is displayed, the sudo permissions have been granted successfully.

Unable to access the instance after disabling the firewall

After the firewall is disabled, you are still unable to connect to the instance, try investigating other potential issues. For further details, refer to What do I do if I cannot connect to a Linux instance?