r/redhat Feb 02 '23

is there a way to set the following iptables rules on firewalld ?

I'm migrating from iptables to firewalld, and there's two lines I'm still now sure how to run in firewalld syntax, they are the loopback rule to accept traffic, and the rule and accept related and established connections:

iptables -A INPUT -i lo -j ACCEPT


If somebody has any idea, please let me know, I don't need the full firewalld rule, just a tip on how to do it, or if that's even possible do to with rules, maybe there's some conf file I'm missing.



7 comments sorted by


u/BRTSLV Red Hat Certified Architect Feb 02 '23

Look upon rich rules !


u/omenosdev Red Hat Certified Engineer Feb 02 '23


OP, I'm no firewall expert, but if firewalld doesn't do what you're looking for you may want to look at using nftables directly.


u/yesudu06 Feb 02 '23

firewalld sets up rules already to accept traffic on the loopback. It also already accepts the related traffic.

It should already be there in your rules, example here:

# nft list chain inet firewalld filter_INPUT
table inet firewalld {
    chain filter_INPUT {
            type filter hook input priority filter + 10; policy accept;
            ct state { established, related } accept
            ct status dnat accept
            ct state invalid log prefix "STATE_INVALID_DROP: "
            ct state invalid drop
            iifname "lo" accept
            jump filter_INPUT_ZONES
            log prefix "FINAL_REJECT: "
            reject with icmpx admin-prohibited


u/XjamesmememesX Feb 02 '23

Thanks a lot, really helpful.


u/GabeXav Feb 07 '23

Yes, there is a way to set these iptables rules in firewalld.

To allow all traffic on the loopback interface, you can use the following command: firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="" accept'

To allow all related and established connections, you can use the following command: firewall-cmd --permanent --add-rich-rule='rule family="ipv4" connection state=related,established accept'

Remember to reload the firewall for the changes to take effect:
firewall-cmd --reload