Move iptables rules to user-defined chains

Firewall rules should be managed by Puppet, which will purge current
firewall ruleset and replace it by the one provided by a corresponding
manifest.

We need to move rules introduced by product.sh to separate user-defined
chains which are not purged by Puppet so they will be retained after the
manifest gets applied.

Change-Id: I57e9f58c6bad32b23b179499f0514edf5357bd31
Partial-Bug: #1524750

functions/product.sh

@@ -221,11 +221,20 @@ enable_outbound_network_for_product_vm() {
         send "sed -i.orig '/DNS_UPSTREAM/c\\"DNS_UPSTREAM\\": \\"${dns_upstream}\\"' /etc/fuel/astute.yaml\r"
         expect "$prompt"
         # enable NAT (MASQUERADE) and forwarding for the public network
-        send "/sbin/iptables -t nat -A POSTROUTING -s $master_pub_net/24 \! -d $master_pub_net/24 -j MASQUERADE\r"
+        # User-defined chains are introduced by LP#1524750 
+        send "/sbin/iptables -t nat -N ext-nat-postrouting &>/dev/null\r"
         expect "$prompt"
-        send "/sbin/iptables -I FORWARD 1 --dst $master_pub_net/24 -j ACCEPT\r"
+        send "/sbin/iptables -t filter -N ext-filter-forward &>/dev/null\r"
         expect "$prompt"
-        send "/sbin/iptables -I FORWARD 1 --src $master_pub_net/24 -j ACCEPT\r"
+        send "/sbin/iptables -t nat -A ext-nat-postrouting -s $master_pub_net/24 \! -d $master_pub_net/24 -j MASQUERADE\r"
+        expect "$prompt"
+        send "/sbin/iptables -I ext-filter-forward 1 --dst $master_pub_net/24 -j ACCEPT\r"
+        expect "$prompt"
+        send "/sbin/iptables -I ext-filter-forward 1 --src $master_pub_net/24 -j ACCEPT\r"
+        expect "$prompt"
+        send "/sbin/iptables -t nat -A POSTROUTING -j ext-nat-postrouting\r"
+        expect "$prompt"
+        send "/sbin/iptables -t filter -A FORWARD -j ext-filter-forward\r"
         expect "$prompt"
         send "service iptables save &>/dev/null\r"
         expect "$prompt"