| From: Eric Garver <egarver(a)redhat.com>
| > For reference, here again is the direct rule I'm considering:
| >
| > | > sudo firewall-cmd \
| > | > --direct --add-rule ipv4 filter FORWARD 0 \
| > | > --in-interface=EXTERNAL_INTERFACE \
| > | > --source MYSUBNET \
| > | > DROP
|
| Based on what you said above this looks like your best option for
| firewalld < v0.9.0.
|
| Note: You forgot the "-j". It should be "-j DROP" instead of
"DROP".
Thanks.
No wonder that I confused you about what I was trying to do. --source
should have been --destination.
I don't seem to be cut out for iptables -- I keep making little
mistakes. That's why I like firewalld.
With those two changes, the direct rule works.
(The real complexity of iptables is in the sequencing and priorities
of rules. The more declarative nature of firewalld is much better.)