On 5/9/2015 8:32 AM, James B. Byrne wrote:
On Fri, May 8, 2015 12:06, Bowie Bailey wrote:
Replying to myself here, I finally figured out how to do it with
direct rules. Firewalld on CentOS 7 defaults to a drop rule for
the FORWARD chain which my previous server didn't have. So I
needed to put the rules in the FORWARD chain rather than the
INPUT chain.
This does not make sense to me. The INPUT, OUTPUT and FORWARD chains
are swimlanes. A packet starts out, following PREROUTING, in exactly
one of these three and never leaves it. It can JUMP to shared chains
but it will always return to its original chain until ACCEPTed,
DROPped or REJECTed.
I was a bit confused when I originally posted. This is the only machine
that does forwarding and I haven't touched the iptables setup on it in
years.
The original machine had a shared chain between INPUT and FORWARD with
rules that allowed the traffic. I had forgotten how the INPUT and
FORWARD chains worked and didn't realize at first that this was a shared
chain, so I was putting the rules in the INPUT chain on the new box,
which (of course) didn't work.
The other thing that caught me was that the new box has a reject rule at
the end of the FORWARD chain that I didn't notice until I did an
iptables-save and combed through the rules. Is there a better way to
get an overview of ALL the rules with firewalld? None of the
firewall-cmd options that I can find will show me that there is a reject
rule on the FORWARD chain.
--
Bowie
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
