5.14. Using the Direct Interface
It is possible to add and remove chains during runtime by using the
--direct
option with the firewall-cmd tool. A few examples are presented here. See the firewall-cmd(1)
man page for more information.
It is dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the
--permanent
option using the firewall-cmd --permanent --direct
command or by modifying /etc/firewalld/direct.xml
. See man firewalld.direct(5)
for information on the /etc/firewalld/direct.xml
file.
5.14.1. Adding a Rule using the Direct Interface Copy linkLink copied to clipboard!
Copy linkLink copied to clipboard!
To add a rule to the “IN_public_allow” chain, enter the following command as
root
:
firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \ 0 -m tcp -p tcp --dport 666 -j ACCEPT
~]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the
--permanent
option to make the setting persistent.
5.14.2. Removing a Rule using the Direct Interface Copy linkLink copied to clipboard!
Copy linkLink copied to clipboard!
To remove a rule from the “IN_public_allow” chain, enter the following command as
root
:
firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \ 0 -m tcp -p tcp --dport 666 -j ACCEPT
~]# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the
--permanent
option to make the setting persistent.
5.14.3. Listing Rules using the Direct Interface Copy linkLink copied to clipboard!
Copy linkLink copied to clipboard!
To list the rules in the “IN_public_allow” chain, enter the following command as
root
:
firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the
--get-rules
option) only lists rules previously added using the --add-rule
option. It does not list existing iptables rules added by other means.