CentOS 7 iptables output does match output of firewall-cmd

Aren Tahmasian asked:

Output of iptables -L -v -n does not match firewall-cmd --list-all-zones.

Specifically, I’m looking for the forwarding rules I have in place for two virtual machines. They can be clearly seen with iptables.

[[email protected] ~]# iptables -S -v | grep 192.168
-A FORWARD -d -i br0 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -c 160 12160 -j ACCEPT
-A FORWARD -s -i virbr0 -o br0 -c 160 12160 -j ACCEPT
-A FORWARD -d -i br0 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -c 110 8360 -j ACCEPT
-A FORWARD -s -i virbr1 -o br0 -c 110 8360 -j ACCEPT

I cannot find this same info with firewall-cmd --list-all-zones.

[[email protected] ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: br0
  services: ftp dhcpv6-client http ssh
  ports: 5901/tcp
  masquerade: no
  rich rules: 

The other zones have even less info but I can display them if you wish to see.

I should be able to view these rules with firewall-cmd, correct? Or am I wrong to believe this? Or am I simply using the wrong firewall-cmd command? I’ve read through the manual for firewall-cmd and I can’t seem to find the correct command if it exists.

My answer:

They look like firewall rules added by libvirt. These are not visible or manageable through firewalld.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.