5.14. Using the Direct Interface

It is possible to add and remove chains during runtime by using the --direct option with the firewall-cmd tool. A few examples are presented here. See the firewall-cmd(1) man page for more information.
It is dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the --permanent option using the firewall-cmd --permanent --direct command or by modifying /etc/firewalld/direct.xml. See man firewalld.direct(5) for information on the /etc/firewalld/direct.xml file.

5.14.1. Adding a Rule using the Direct Interface

To add a rule to the IN_public_allow chain, enter the following command as root:
~]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
        0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the setting persistent.

5.14.2. Removing a Rule using the Direct Interface

To remove a rule from the IN_public_allow chain, enter the following command as root:
~]# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
        0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the setting persistent.

5.14.3. Listing Rules using the Direct Interface

To list the rules in the IN_public_allow chain, enter the following command as root:
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the --get-rules option) only lists rules previously added using the --add-rule option. It does not list existing iptables rules added by other means.