Adding a permanent PREROUTING rule in iptables using firewall-cmd

Question

I'm trying to add a new rule in the PREROUTING chain in iptables (NAT) using firewall-cmd on RHEL 7:

$ firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8161

Then I check the iptables via $ iptables -t nat -L:

...
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
PREROUTING_direct  all  --  anywhere             anywhere
PREROUTING_ZONES_SOURCE  all  --  anywhere             anywhere
PREROUTING_ZONES  all  --  anywhere             anywhere
...
Chain PREROUTING_direct (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8161
...

However, if I run an equivalent iptables command as follows:

...
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
PREROUTING_direct  all  --  anywhere             anywhere
PREROUTING_ZONES_SOURCE  all  --  anywhere             anywhere
PREROUTING_ZONES  all  --  anywhere             anywhere
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8161
...
Chain PREROUTING_direct (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8161

I get this additional rule in the Chain PREROUTING and this allows prerouting to work even if the firewall is disabled (i.e., disabling firewall daemon and running the iptables command).

So, my question is two-fold:

• Is there a firewall-cmd command that does exactly the same as the iptables command above?
• Can this rule be added permanently via firewall-cmd and stay there even after firewall daemon is disabled?

Answer 1

You are using firewall-cmd with --direct option which means it accepts an iptables command. So, you can just the same options with iptables -t nat to have the same effect with one exception. Using firewall-cmd this way will add NAT rule to PREROUTING_direct chain while using iptables directly with add the rule to PREROUTING chain.

In the output of iptables -t nat -L, you added the rule twice: once to each chain.

As for the second part of question, firewalld service will remove all defined chains when stopped. So, rules added to PREROUTING_direct will not be available any more. Short answer is No.

Answer 2

I get this additional rule in the Chain PREROUTING and this allows prerouting to work even if the firewall is disabled.

So I am not completely sure that is true.

If the PREROUTING is no longer working when you stop firewalld (and I am not clear why you would do that), then I would assume that is because firewalld is removing its entire policy (e.g. iptables -F/iptables -X). In which case, the fact you added another version of the same rule manually would make little difference. iptables -F would still remove it.

Your (first) command should be giving you a permanent pre-routing rule as you wanted, so long as you do not stop firewalld. I would tend to think that should be sufficient, but I may very well be missing something about your needs.

Just to be clear: there is no practical difference between having your prerouting rule in the PREROUTING_DIRECT chain or the PREROUTING chain. Both approaches work the same, have the same effect, and absent other changes to your firewall policy, should be doing what you need.

The only difference is that firewalld is essentially doing a little admin behind the scenes for you, and placing your actual rule in a user-defined chain rather than a system defined one.

tl;dr: I would just keep firewalld running, and use its commands to create and manage your rules. While the firewall-cmd vs 'raw' iptables commands have slightly different visual effects, they have the same effect on the network traffic.