Iptables on Centos 7 doesn't work after reboot

tester3 asked:

I am on Centos 7, removed the new firewall and installed a classic iptables service. I have a guest machine in it with Debian 8.1 and static external ip.

I do:

echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1
iptables -P FORWARD ACCEPT

and:

iptables -t nat -I PREROUTING -d *external_ip* -i enp2s0 -j DNAT --to-destination 192.168.122.72
iptables -t nat -I POSTROUTING -s 192.168.122.72 -o enp2s0 -j SNAT --to-source *external_ip*
iptables -P FORWARD ACCEPT

And my guest system begins to work and become able on the Internet.

Then I do service iptables save, restart host machine and my guest machine becomes unavailable on the network. But when I check iptables rules (iptables -t nat -L –line-numbers) I see that all my rules are there. When I flush all iptables rules and enter them again – it begins to work again until new reboot.

My friend suggested a solution to write an sh script with these rules and add it to rclocal, but maybe there is a better solution?

My answer:


If you’re writing your own NAT rules for your virtual machines, rather than allowing libvirt to manage them, then the virtual network to which the VMs are connected should be set up as a routed network, not a NAT network.

You can fix this with virsh net-edit <network> and change:

  <forward mode='nat'/>

to:

  <forward mode='route'/>

(And this is perfectly doable with firewalld; I have one such machine in production already.)


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.