The last two router/firewall servers I had used Slackware and Gentoo. I'm used to writing complete and explicit iptables rules; however, when I set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable. For example, I'm used to stating postrouting masquerade as: /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE But when I use the rule above, iptables.service fails upon start and exits. Through a series of trial and error, I found a correct masquerade statement: *nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE COMMIT This looks similar to output from iptables-save. Another example: /usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP [DOES NOT WORK] *filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP COMMIT [DOES WORK] After using iptables for a long time, I can't figure out where this syntax comes from. Can anyone point me in the right direction to understand the proper syntax necessary in /etc/sysconfig/iptables? Thanks for your help.
On 23/05/16 14:55, Mike wrote:> The last two router/firewall servers I had used Slackware and Gentoo. > I'm used to writing complete and explicit iptables rules; however, when I > set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable. > > For example, I'm used to stating postrouting masquerade as: > > /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j > MASQUERADE > > But when I use the rule above, iptables.service fails upon start and exits. > > Through a series of trial and error, I found a correct masquerade statement: > > *nat > -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE > COMMIT > > This looks similar to output from iptables-save. > > Another example: > > /usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP > [DOES NOT WORK] > > *filter > -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP > COMMIT > [DOES WORK] > > After using iptables for a long time, I can't figure out where this syntax > comes from. > Can anyone point me in the right direction to understand the proper syntax > necessary in /etc/sysconfig/iptables?By default CentOS 7 uses firewalld and not iptables - check what is enabled and running with >systemctl status firewalld.service or if you want to see all that is running on your server/PC >systemctl HTH> Thanks for your help. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On Sun, May 22, 2016 at 11:02 PM, Rob Kampen <rkampen at kampensonline.com> wrote: By default CentOS 7 uses firewalld and not iptables - check what is> enabled and running with > >systemctl status firewalld.service >systemctl reports: systemctl status firewalld.service ? firewalld.service Loaded: masked (/dev/null) Active: inactive (dead) I disabled/removed firewalld and installed/enabled iptables.
You need to disable firewalld and install iptables, if you really want use old way: https://www.certdepot.net/rhel7-disable-firewalld-use-iptables/ Firewalld is preferred way. You should learn it.. -- Eero 2016-05-23 5:55 GMT+03:00 Mike <1100100 at gmail.com>:> The last two router/firewall servers I had used Slackware and Gentoo. > I'm used to writing complete and explicit iptables rules; however, when I > set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable. > > For example, I'm used to stating postrouting masquerade as: > > /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j > MASQUERADE > > But when I use the rule above, iptables.service fails upon start and exits. > > Through a series of trial and error, I found a correct masquerade > statement: > > *nat > -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE > COMMIT > > This looks similar to output from iptables-save. > > Another example: > > /usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP > [DOES NOT WORK] > > *filter > -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP > COMMIT > [DOES WORK] > > After using iptables for a long time, I can't figure out where this syntax > comes from. > Can anyone point me in the right direction to understand the proper syntax > necessary in /etc/sysconfig/iptables? > > Thanks for your help. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >