about:

CentOS7 uses firewalld which is a frontend for iptables.

firewalld ships by default on the following Linux distributions:[6]

firewalld is enabled by default in all the distributions that rely on it as their default firewall. firewalld is also available as one of many firewall options in the package repository of many other popular distributions such as Debian.[10](src)

grafical frontend / gui gnome2 / mate desktop:

# install gui
yum install firewall-applet

tested with:

hostnamectl 
  Operating System: CentOS Linux 7 (Core)
  Architecture: x86-64
  Kernel: Linux 3.10.0-693.17.1.el7.x86_64

firewall-cmd -V
0.4.4.4

yum list installed|grep firewall
firewalld.noarch                   0.4.4.4-6.el7                       @anaconda
firewalld-filesystem.noarch        0.4.4.4-6.el7                       @anaconda
python-firewall.noarch             0.4.4.4-6.el7                       @anaconda

lets get started:

# list all opened ports
firewall-cmd --list-ports

# list all rules
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 
services: ssh dhcpv6-client
ports: 
protocols: 
masquerade: no
forward-ports: 
source-ports: 
icmp-blocks: 
rich rules: 
rule family="ipv4" source address="193.201.0.0/16" reject
rule family="ipv4" source address="36.155.0.0/16" reject

firewall-cmd --get-active-zones
public
 interfaces: eth0

# list rules for a specific zone
firewall-cmd --zone=home --list-all

for example, if your zone is public and you want to open port 80:

firewall-cmd --zone=public --add-port=80/tcp --permanent

reload the firewall for changes to take effect:

firewall-cmd --reload

to check scan port from client:

nmap -v -p 0-65535 -sS 192.168.0.94
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
# monitor your logs
# without color
find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} +
# with color (needs ccze)
apt install ccze
find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} + | ccze

# when you found and abusive ip
# block specific ip for 15min
firewall-cmd --timeout 15m --add-rich-rule="rule family='ipv4' source address='193.201.224.218' reject"
# block specific ip forever
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='193.201.224.218' reject" --timeout 15m

# block specific subnet
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='193.201.0.0/16' reject"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='36.155.0.0/16' reject"

# you can view the rules in this config file
vim /etc/firewalld/direct.xml

Links:

ip to country mapping: https://www.iplocation.net/

https://www.startpage.com/do/dsearch?query=find+country+by+ip&cat=web&pl=opensearch&language=english

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

https://dwaves.org/2017/07/27/centos7-iptables-firewall-replaced-by-firewalld/

project website: http://www.firewalld.org/

admin