-
Notifications
You must be signed in to change notification settings - Fork 0
Ipforwarding
In order for the nodes to communicate with the outside world directly, the frontend will have to forward the packets from the private network to the public network.
To make a temporary change (testing):
$ sudo sysctl -w net.ipv4.ip_forward=1
To make this permanent (survive reboots) edit /etc/sysctl.conf and modify the net.ipv4.ip_forward line:
$ sudo vim /etc/sysctl.conf
# Controls IP packet forwarding
# net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
Now to configure the firewall to allow forwarding manually.
$ sudo vim /etc/sysconfig/iptables
Under the "*nat" rules and before the "COMMIT" add:
-A POSTROUTING -o eth0 -j MASQUERADE
Under the "*filter" rules and before the "REJECT" add:
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
Now ensure that the tables are in effect.
$ sudo service iptables restart
Now to configure the firewall to allow masquerading and forwarding by adding the ports to the site.pp config file within the frontend node rules:
$ sudo vim /etc/puppet/manifests/site.pp
__# Configure Masquerading and forwarding.
__firewall { '05 Masquerade':
______table => 'nat',
______chain => 'POSTROUTING',
______jump => 'MASQUERADE',
______outiface => 'eth0',
______proto => 'all',
__}
__firewall { '06 Forwarding':
______table => 'filter',
______chain => 'FORWARD',
______outiface => 'eth1',
______iniface => 'eth0',
______action => accept,
______state => ['ESTABLISHED' , 'RELATED'],
______proto => 'all',
__}
__firewall { '07 Forwarding':
______table => 'filter',
______chain => 'FORWARD',
______outiface => 'eth0',
______iniface => 'eth1',
______action => accept,
______proto => 'all',
__}
Verify that everything works by rerunning the puppet client.
$ sudo puppet agent -t