5.14. Using the Direct Interface
It is possible to add and remove chains during runtime by using the
--direct
option with the firewall-cmd tool. A few examples are presented here. See the firewall-cmd(1)
man page for more information.
It is dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the
--permanent
option using the firewall-cmd --permanent --direct
command or by modifying /etc/firewalld/direct.xml
. See man firewalld.direct(5)
for information on the /etc/firewalld/direct.xml
file.
5.14.1. Adding a Rule using the Direct Interface
To add a rule to the “IN_public_allow” chain, enter the following command as
root
:
~]#firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the
--permanent
option to make the setting persistent.
5.14.2. Removing a Rule using the Direct Interface
To remove a rule from the “IN_public_allow” chain, enter the following command as
root
:
~]#firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the
--permanent
option to make the setting persistent.
5.14.3. Listing Rules using the Direct Interface
To list the rules in the “IN_public_allow” chain, enter the following command as
root
:
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the
--get-rules
option) only lists rules previously added using the --add-rule
option. It does not list existing iptables rules added by other means.