I have a CentOS7 machine, and I use firewalld as my firewall. Recently I added a few rules using firewall-cmd:
# Removing DOCKER-USER CHAIN (it won't exist at first)
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
# Flush rules from DOCKER-USER chain (again, these won't exist at first; firewalld seems to remember these even if the chain is gone)
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
# Add the DOCKER-USER chain to firewalld
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
# Add rules (see comments for details)
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j REJECT -i eth0 -dport 27017
I rebooted and checked the direct.xml file; the rules are there. I check using firewall-cmd and see the chain and the rules:
firewall-cmd --permanent --direct --get-rules ipv4 filter DOCKER-USER
0 -j REJECT -i eth0 -dport 27017
And yet, if I do a iptables -nvL, I don't see that chain anywhere:
iptables -nvL |grep DOCKER
0 0 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
Chain DOCKER-ISOLATION (1 references)
And if I use firewall-cmd, I don't see the chains that appear using iptables either. For example, I do have a f2b-sshd chain created by fail2ban, and yet this returns nothing:
firewall-cmd --permanent --direct --get-rules ipv4 filter f2b-sshd
What's going on? I had the idea that both iptables and firewalld just manipulated the underlying kernel, that they were just different interfaces for the same thing. Why can't one see the rules created by the other? And which ones prevail?
