[CentOS] /etc/sysconfig/iptables syntax

Mon May 23 20:10:34 UTC 2016
James Hogarth <james.hogarth at gmail.com>

On 23 May 2016 21:03, "Mike" <1100100 at gmail.com> wrote:
>
> The closest thing I could find to an iptables to firewalld conversion tool
> was Offline Configuation.
> The firewall-offline-cmd command was created to help setup firewall rules
> when Firewalld is not running.
>
> For instance, to open the tcp port 22, you would type in the
> /etc/sysconfig/iptables file:
>
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>
> Instead, you can now execute the following command:
>
> # firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp
> -m state --state NEW -m tcp --dport 22 -j ACCEPT
>
> / / / / / / / / / / / / / / / / / / / / / / / / / //  /
>
> It's not that convenient for a rule-set of 250 lines, but with a
> little creative copying/pasting between the iptables rules and the
> "firewall-offline-cmd --direct -add-rule ipv4 filter"
> and "firewall-offline-cmd --direct -add-rule ipv4 nat " statements, I
> suppose a decent conversion can be completed.
>
> Of course, you'd still need to apply rules to the correct zones which
> I'm still trying to digest.
>
>

Using DIRECT bypasses all the zone and service stuff.

Frankly if your going to DIRECT everything then you really are better off
masking (and removing) firewalld and installing iptables-service and just
using the old traditional way.