Move iptables rules to user-defined chains
Firewall rules should be managed by Puppet, which will purge current firewall ruleset and replace it by the one provided by a corresponding manifest. We need to move rules introduced by product.sh to separate user-defined chains which are not purged by Puppet so they will be retained after the manifest gets applied. Change-Id: I57e9f58c6bad32b23b179499f0514edf5357bd31 Partial-Bug: #1524750
This commit is contained in:
parent
5ed0107ff3
commit
3b40e0c284
|
@ -221,11 +221,20 @@ enable_outbound_network_for_product_vm() {
|
|||
send "sed -i.orig '/DNS_UPSTREAM/c\\"DNS_UPSTREAM\\": \\"${dns_upstream}\\"' /etc/fuel/astute.yaml\r"
|
||||
expect "$prompt"
|
||||
# enable NAT (MASQUERADE) and forwarding for the public network
|
||||
send "/sbin/iptables -t nat -A POSTROUTING -s $master_pub_net/24 \! -d $master_pub_net/24 -j MASQUERADE\r"
|
||||
# User-defined chains are introduced by LP#1524750
|
||||
send "/sbin/iptables -t nat -N ext-nat-postrouting &>/dev/null\r"
|
||||
expect "$prompt"
|
||||
send "/sbin/iptables -I FORWARD 1 --dst $master_pub_net/24 -j ACCEPT\r"
|
||||
send "/sbin/iptables -t filter -N ext-filter-forward &>/dev/null\r"
|
||||
expect "$prompt"
|
||||
send "/sbin/iptables -I FORWARD 1 --src $master_pub_net/24 -j ACCEPT\r"
|
||||
send "/sbin/iptables -t nat -A ext-nat-postrouting -s $master_pub_net/24 \! -d $master_pub_net/24 -j MASQUERADE\r"
|
||||
expect "$prompt"
|
||||
send "/sbin/iptables -I ext-filter-forward 1 --dst $master_pub_net/24 -j ACCEPT\r"
|
||||
expect "$prompt"
|
||||
send "/sbin/iptables -I ext-filter-forward 1 --src $master_pub_net/24 -j ACCEPT\r"
|
||||
expect "$prompt"
|
||||
send "/sbin/iptables -t nat -A POSTROUTING -j ext-nat-postrouting\r"
|
||||
expect "$prompt"
|
||||
send "/sbin/iptables -t filter -A FORWARD -j ext-filter-forward\r"
|
||||
expect "$prompt"
|
||||
send "service iptables save &>/dev/null\r"
|
||||
expect "$prompt"
|
||||
|
|
Loading…
Reference in New Issue