Y'all may remember me fighting this a few weeks back. I did finally succeed, and thought that my awk script might be helpful to others. Yes, it's really simple, it uses the build-in FORWARD chain. The line where I skip the definition of those chains is because it *is* built in. To use it, I did an iptables-save on the firewall that's currently in use, changed the physdev devices to match the ones on the new box (I *loathe* that idiot varying name convention, it is *not* helpful, and then ran it through this script. I piped the o/p into a file, then sh scriptname did the actual install. Following that, I did firewall-cmd --reload, and all was wonderful, and I could ping the system inside the firewall, and from the subnet in our building (the new one's in the datacenter), but not from anywhere else, so the rules worked. Note that I did the work, I work for a US gov't federal contractor, so this was done on tax dollars, and should be free of any encumberment. Hope it helps, folks. BEGIN { priority = 1; } { if ( $0 ~ /^-A/ ) { if ( $2 ~ /^INPUT|^FORWARD/ ) { next; } else { rule = substr( $0, index($0, $3)); } print "firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD " priority++ " " rule; } } mark