Subject: | |
From: | |
Reply To: | |
Date: | Tue, 28 Jun 2016 08:36:58 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
After reading and poking around, I've discovered it's actually quite easy
to set up NAT with firewalld instead of disabling it and resorting to
iptables-services.
Firewalld provides /etc/firewalld/direct.xml where one can create chains
and rules directly into a selected table. See firewall.direct(5) for
details.
The appropriate chain is apparently POSTROUTING_direct. Firewalld
creates this chain whether direct.xml exists or not. The other stub
chains I asked about correspond to the active zones.
The net.ipv4.ip_forward is already set because of libvirtd.
On 06/23/2016 07:45 AM, Ken Teh wrote:
> I'm trying to set up NAT on an SL7x machine. I know how to do it via
> iptables but am a little hesitant because of firewalld.
>
> It's obvious from the lack of /etc/sysconfig/iptables that iptables
> configuration is stored elsewhere probably in several xml files.
>
> I'm going to try to do it via 'firewall-cmd --direct' in the hopes that
> my reconfiguration is stored across reboots.
>
> I dumped out the nat table. There are several chains that did not exist
> in SL6x. They appear to be stubs. Does anyone know what their intended
> purpose is? For example, my default zone is 'work' and I see among
> others, POST_work, POST_work_log, POST_work_deny, POST_work_allow, etc.
>
> The POSTROUTING chain also contains several targets with explicit rules
> on 192.168.122.0/24. Googling says they are libvirt related. I suppose
> I could retain them Does anyone know if things will break if I delete
> them? It's a NAT gateway, not a virtualization server.
>
>
|
|
|