On 5/9/2015 8:32 AM, James B. Byrne wrote:> On Fri, May 8, 2015 12:06, Bowie Bailey wrote:
>
>> Replying to myself here, I finally figured out how to do it with
>> direct rules. Firewalld on CentOS 7 defaults to a drop rule for
>> the FORWARD chain which my previous server didn't have. So I
>> needed to put the rules in the FORWARD chain rather than the
>> INPUT chain.
>>
> This does not make sense to me. The INPUT, OUTPUT and FORWARD chains
> are swimlanes. A packet starts out, following PREROUTING, in exactly
> one of these three and never leaves it. It can JUMP to shared chains
> but it will always return to its original chain until ACCEPTed,
> DROPped or REJECTed.
I was a bit confused when I originally posted. This is the only machine
that does forwarding and I haven't touched the iptables setup on it in
years.
The original machine had a shared chain between INPUT and FORWARD with
rules that allowed the traffic. I had forgotten how the INPUT and
FORWARD chains worked and didn't realize at first that this was a shared
chain, so I was putting the rules in the INPUT chain on the new box,
which (of course) didn't work.
The other thing that caught me was that the new box has a reject rule at
the end of the FORWARD chain that I didn't notice until I did an
iptables-save and combed through the rules. Is there a better way to
get an overview of ALL the rules with firewalld? None of the
firewall-cmd options that I can find will show me that there is a reject
rule on the FORWARD chain.
--
Bowie