I'm trying to set up NAT on an SL7x machine.  I know how to do it via
iptables but am a little hesitant because of firewalld.

It's obvious from the lack of /etc/sysconfig/iptables that iptables
configuration is stored elsewhere probably in several xml files.

I'm going to try to do it via 'firewall-cmd --direct' in the hopes that
my reconfiguration is stored across reboots.

I dumped out the nat table.  There are several chains that did not exist
in SL6x.  They appear to be stubs.  Does anyone know what their intended
purpose is?  For example, my default zone is 'work' and I see among
others, POST_work, POST_work_log, POST_work_deny, POST_work_allow, etc.

The POSTROUTING chain also contains several targets with explicit rules
on 192.168.122.0/24.  Googling says they are libvirt related.  I suppose
I could retain them  Does anyone know if things will break if I delete
them?  It's a NAT gateway, not a virtualization server.