[CentOS] /etc/sysconfig/iptables syntax

Mike 1100100 at gmail.com
Mon May 23 02:55:28 UTC 2016


The last two router/firewall servers I had used Slackware and Gentoo.
I'm used to writing complete and explicit iptables rules; however, when I
set up /etc/sysconfig/iptables in CentOS 7 my usual syntax is unusable.

For example, I'm used to stating postrouting masquerade as:

/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j
MASQUERADE

But when I use the rule above, iptables.service fails upon start and exits.

Through a series of trial and error, I found a correct masquerade statement:

*nat
-A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE
COMMIT

This looks similar to output from iptables-save.

Another example:

/usr/sbin/iptables -t filter -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
[DOES NOT WORK]

*filter
-A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
COMMIT
[DOES WORK]

After using iptables for a long time, I can't figure out where this syntax
comes from.
Can anyone point me in the right direction to understand the proper syntax
necessary in /etc/sysconfig/iptables?

Thanks for your help.



More information about the CentOS mailing list