After reading and poking around, I've discovered it's actually quite easy
to set up NAT with firewalld instead of disabling it and resorting to
iptables-services.

Firewalld provides /etc/firewalld/direct.xml where one can create chains
and rules directly into a selected table.  See firewall.direct(5) for
details.

The appropriate chain is apparently POSTROUTING_direct.  Firewalld
creates this chain whether direct.xml exists or not.  The other stub
chains I asked about correspond to the active zones.

The net.ipv4.ip_forward is already set because of libvirtd.


On 06/23/2016 07:45 AM, Ken Teh wrote:
> I'm trying to set up NAT on an SL7x machine.  I know how to do it via
> iptables but am a little hesitant because of firewalld.
>
> It's obvious from the lack of /etc/sysconfig/iptables that iptables
> configuration is stored elsewhere probably in several xml files.
>
> I'm going to try to do it via 'firewall-cmd --direct' in the hopes that
> my reconfiguration is stored across reboots.
>
> I dumped out the nat table.  There are several chains that did not exist
> in SL6x.  They appear to be stubs.  Does anyone know what their intended
> purpose is?  For example, my default zone is 'work' and I see among
> others, POST_work, POST_work_log, POST_work_deny, POST_work_allow, etc.
>
> The POSTROUTING chain also contains several targets with explicit rules
> on 192.168.122.0/24.  Googling says they are libvirt related.  I suppose
> I could retain them  Does anyone know if things will break if I delete
> them?  It's a NAT gateway, not a virtualization server.
>
>