5.14. Using the Direct Interface
It is possible to add and remove chains during runtime by using the
--direct option with the firewall-cmd tool. A few examples are presented here. See the firewall-cmd(1) man page for more information.
It is dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the
--permanent option using the firewall-cmd --permanent --direct command or by modifying /etc/firewalld/direct.xml. See man firewalld.direct(5) for information on the /etc/firewalld/direct.xml file.
5.14.1. Adding a Rule using the Direct Interface
To add a rule to the “IN_public_allow” chain, enter the following command as
root:
~]#firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the
--permanent option to make the setting persistent.
5.14.2. Removing a Rule using the Direct Interface
To remove a rule from the “IN_public_allow” chain, enter the following command as
root:
~]#firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the
--permanent option to make the setting persistent.
5.14.3. Listing Rules using the Direct Interface
To list the rules in the “IN_public_allow” chain, enter the following command as
root:
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the
--get-rules option) only lists rules previously added using the --add-rule option. It does not list existing iptables rules added by other means.
