On 5/9/2015 8:32 AM, James B. Byrne wrote: > On Fri, May 8, 2015 12:06, Bowie Bailey wrote: > >> Replying to myself here, I finally figured out how to do it with >> direct rules. Firewalld on CentOS 7 defaults to a drop rule for >> the FORWARD chain which my previous server didn't have. So I >> needed to put the rules in the FORWARD chain rather than the >> INPUT chain. >> > This does not make sense to me. The INPUT, OUTPUT and FORWARD chains > are swimlanes. A packet starts out, following PREROUTING, in exactly > one of these three and never leaves it. It can JUMP to shared chains > but it will always return to its original chain until ACCEPTed, > DROPped or REJECTed. I was a bit confused when I originally posted. This is the only machine that does forwarding and I haven't touched the iptables setup on it in years. The original machine had a shared chain between INPUT and FORWARD with rules that allowed the traffic. I had forgotten how the INPUT and FORWARD chains worked and didn't realize at first that this was a shared chain, so I was putting the rules in the INPUT chain on the new box, which (of course) didn't work. The other thing that caught me was that the new box has a reject rule at the end of the FORWARD chain that I didn't notice until I did an iptables-save and combed through the rules. Is there a better way to get an overview of ALL the rules with firewalld? None of the firewall-cmd options that I can find will show me that there is a reject rule on the FORWARD chain. -- Bowie