Iptables – Adding a permanent PREROUTING rule in iptables using firewall-cmd

firewalldiptablesrhel7

I'm trying to add a new rule in the PREROUTING chain in iptables (NAT) using firewall-cmd on RHEL 7:

$ firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8161

Then I check the iptables via $ iptables -t nat -L:

...
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
PREROUTING_direct  all  --  anywhere             anywhere
PREROUTING_ZONES_SOURCE  all  --  anywhere             anywhere
PREROUTING_ZONES  all  --  anywhere             anywhere
...
Chain PREROUTING_direct (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8161
...

However, if I run an equivalent iptables command as follows:

...
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
PREROUTING_direct  all  --  anywhere             anywhere
PREROUTING_ZONES_SOURCE  all  --  anywhere             anywhere
PREROUTING_ZONES  all  --  anywhere             anywhere
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8161
...
Chain PREROUTING_direct (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8161

I get this additional rule in the Chain PREROUTING and this allows prerouting to work even if the firewall is disabled (i.e., disabling firewall daemon and running the iptables command).

So, my question is two-fold:

  • Is there a firewall-cmd command that does exactly the same as the iptables command above?
  • Can this rule be added permanently via firewall-cmd and stay there even after firewall daemon is disabled?

Best Answer

You are using firewall-cmd with --direct option which means it accepts an iptables command. So, you can just the same options with iptables -t nat to have the same effect with one exception. Using firewall-cmd this way will add NAT rule to PREROUTING_direct chain while using iptables directly with add the rule to PREROUTING chain.

In the output of iptables -t nat -L, you added the rule twice: once to each chain.

As for the second part of question, firewalld service will remove all defined chains when stopped. So, rules added to PREROUTING_direct will not be available any more. Short answer is No.

Related Topic