From 4d13239d77ed45b08a85600ad78e3f93836fff6e Mon Sep 17 00:00:00 2001 From: Nahum Shalman Date: Wed, 7 Apr 2021 14:11:09 +0000 Subject: [PATCH] Fix NAT to reference correct interfaces This moves the NAT commands from terraform to setup.sh Signed-off-by: Nahum Shalman --- deploy/terraform/main.tf | 9 +++------ deploy/terraform/nat_interface | 1 + setup.sh | 11 +++++++++++ 3 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 deploy/terraform/nat_interface diff --git a/deploy/terraform/main.tf b/deploy/terraform/main.tf index 4a33acb..0e99467 100644 --- a/deploy/terraform/main.tf +++ b/deploy/terraform/main.tf @@ -71,12 +71,9 @@ resource "null_resource" "tink_directory" { destination = "/root/tink" } - provisioner "remote-exec" { - inline = [ - "iptables -A FORWARD -i eth1 -o bond0 -j ACCEPT", - "iptables -A FORWARD -i bond0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT", - "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE", - ] + provisioner "file" { + source = "nat_interface" + destination = "/root/tink/.nat_interface" } provisioner "remote-exec" { diff --git a/deploy/terraform/nat_interface b/deploy/terraform/nat_interface new file mode 100644 index 0000000..306379d --- /dev/null +++ b/deploy/terraform/nat_interface @@ -0,0 +1 @@ +bond0 diff --git a/setup.sh b/setup.sh index dbb0c81..7645e54 100755 --- a/setup.sh +++ b/setup.sh @@ -110,6 +110,17 @@ setup_networking() ( else echo "$ERR tinkerbell network interface configuration failed" fi + + if [ -r .nat_interface ]; then + NAT_INTERFACE=$(cat .nat_interface) + fi + if [ -n "$NAT_INTERFACE" ] && ip addr show "$NAT_INTERFACE" &>/dev/null; then + # TODO(nshalman) the terraform code would just run these commands as-is once + # but it would be nice to make these more persistent based on OS + iptables -A FORWARD -i "$TINKERBELL_NETWORK_INTERFACE" -o "$NAT_INTERFACE" -j ACCEPT + iptables -A FORWARD -i "$NAT_INTERFACE" -o "$TINKERBELL_NETWORK_INTERFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -t nat -A POSTROUTING -o "$NAT_INTERFACE" -j MASQUERADE + fi ) setup_networking_manually() (