SELinux can be a pain at times if you don't have a clear understanding of what, how and why of its workings. A good chunk of resolutions around the web end up suggesting turning off SELinux completely. This, to say the least, is one of the worst things you can do to your server.
Allowing access to ports through SELinux is one of the things that came across while setting up Elasticsearch cluster on Cent OS servers and I wanted to share a quick run down of steps/commands required to allow a port through the firewall. In this example, we'll be allowing access to port
- Start with checking the port allocation and confirming the port you want to allow access to isn't already being used,
sudo semanage port -l | grep http_port_t
- Allow access to port
sudo semanage port -a -t http_port_t -p tcp 8090
- Check firewall ports passthrough
sudo firewall-cmd --list-all
- Add port (and make it permanent)
sudo firewall-cmd --zone=public --add-port=9443/tcp --permanent
- Reload firewall for the changes to take effect
sudo firewall-cmd --reload
Please keep in mind that exposing a port, any port to internet can have some serious consiquences. It's best that such exposed ports are well protected and is a well thought, intentional move.
Tip - You can use a DigitalOcean CentOS droplet to toy around with SELinux before making these changes to your target instance. In-case you don't have a DigitalOcean account, sign up using this link and you'll get $100 free credit good for 2 months, enough to playaround!