After reading and poking around, I've discovered it's actually quite easy to set up NAT with firewalld instead of disabling it and resorting to iptables-services.
Firewalld provides /etc/firewalld/direct.xml where one can create chains and rules directly into a selected table. See firewall.direct(5) for details. The appropriate chain is apparently POSTROUTING_direct. Firewalld creates this chain whether direct.xml exists or not. The other stub chains I asked about correspond to the active zones. The net.ipv4.ip_forward is already set because of libvirtd. On 06/23/2016 07:45 AM, Ken Teh wrote:
I'm trying to set up NAT on an SL7x machine. I know how to do it via iptables but am a little hesitant because of firewalld. It's obvious from the lack of /etc/sysconfig/iptables that iptables configuration is stored elsewhere probably in several xml files. I'm going to try to do it via 'firewall-cmd --direct' in the hopes that my reconfiguration is stored across reboots. I dumped out the nat table. There are several chains that did not exist in SL6x. They appear to be stubs. Does anyone know what their intended purpose is? For example, my default zone is 'work' and I see among others, POST_work, POST_work_log, POST_work_deny, POST_work_allow, etc. The POSTROUTING chain also contains several targets with explicit rules on 192.168.122.0/24. Googling says they are libvirt related. I suppose I could retain them Does anyone know if things will break if I delete them? It's a NAT gateway, not a virtualization server.