RHEL 7 and its offspring use the iptables engine as the firewalld backend. You can't create rules with the normal iptables commands. However, every time you create a rule with a firewall-cmd command, the iptables backend creates the appropriate iptables rule and inserts it into its proper place. You can view the active rules with iptables -L. Here's the first part of a very long output:
[donnie@localhost ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
As was the case with ufw on Ubuntu, a lot has already been configured for us. At the top, in the INPUT chain, we can see that the connection state rule and the rule to block invalid packets are already there. The default policy for the chain is ACCEPT, but the final rule of the chain is set to REJECT what isn't specifically allowed. In between these, we can see rules that direct other packets to other chains for processing. Now, let's look at the next portion:
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
REJECT icmp -- anywhere anywhere icmp host-redirect reject-with icmp-host-prohibited
Toward the bottom of the very long output, we can see the IN_public_allow chain, which contains the rules that we created for opening firewall ports. Just below that is the IN_public_deny chain, which contains the REJECT rule for blocking unwanted ICMP types. In both the INPUT chain and the IN_public_deny chain, the REJECT rules return an ICMP message to inform the sender that the packets were blocked.
Now, keep in mind that there's a lot of this IPTABLES -L output that we haven't shown. So, look at it for yourself to see what's there. When you do, you may ask yourself, Where are these default rules stored? Why am I not seeing them in the /etc/firewalld directory?
To answer that question, I had to do some rather extensive investigation. For some truly bizarre reason, the Red Hat folk have left this completely undocumented. I finally found the answer in the /usr/lib/python2.7/site-packages/firewall/core/ directory. Here, there's a set of Python scripts that set up the initial default firewall:
[donnie@localhost core]$ ls
base.py fw_config.pyc fw_helper.pyo fw_ipset.py fw_policies.pyc fw_service.pyo fw_zone.py icmp.pyc ipset.pyc logger.pyo rich.py base.pyc fw_config.pyo fw_icmptype.py fw_ipset.pyc fw_policies.pyo fw_test.py fw_zone.pyc icmp.pyo ipset.pyo modules.py rich.pyc base.pyo fw_direct.py fw_icmptype.pyc fw_ipset.pyo fw.py fw_test.pyc fw_zone.pyo __init__.py ipXtables.py modules.pyc rich.pyo ebtables.py fw_direct.pyc fw_icmptype.pyo fw_nm.py fw.pyc fw_test.pyo helper.py __init__.pyc ipXtables.pyc modules.pyo watcher.py ebtables.pyc fw_direct.pyo fw_ifcfg.py fw_nm.pyc fw.pyo fw_transaction.py helper.pyc __init__.pyo ipXtables.pyo prog.py watcher.pyc ebtables.pyo fw_helper.py fw_ifcfg.pyc fw_nm.pyo fw_service.py fw_transaction.pyc helper.pyo io logger.py prog.pyc watcher.pyo fw_config.py fw_helper.pyc fw_ifcfg.pyo fw_policies.py fw_service.pyc fw_transaction.pyo icmp.py ipset.py logger.pyc prog.pyo
[donnie@localhost core]$
The script that does most of the work is the ipXtables.py script. If you look in it, you'll see that its list of iptables commands match up with the iptables -L output.