From 243777b6ef19f7fc34dca087f8a279c6dc90e0aa Mon Sep 17 00:00:00 2001
From: Gianluca Arbezzano <gianarb92@gmail.com>
Date: Fri, 22 Jan 2021 09:35:16 +0100
Subject: [PATCH] Fix NAT and make it working for Terraform and Vagrant

Commit b504810 introduced a NAT to make worker capable of reaching the
public internet via the provisioner.

But it also introduced a bug, it only works for the Vagrant setup as
Manny pointed out:

https://github.com/tinkerbell/sandbox/pull/33#issuecomment-759651035

This is an attempt to fix it

Signed-off-by: Gianluca Arbezzano <gianarb92@gmail.com>
---
 deploy/terraform/main.tf             | 8 ++++++++
 deploy/vagrant/scripts/tinkerbell.sh | 8 ++++++++
 setup.sh                             | 7 -------
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/deploy/terraform/main.tf b/deploy/terraform/main.tf
index 47b896a..9171e7c 100644
--- a/deploy/terraform/main.tf
+++ b/deploy/terraform/main.tf
@@ -66,6 +66,14 @@ resource "null_resource" "tink_directory" {
     destination = "/root/tink"
   }
 
+  provisioner "remote-exec" {
+    inline = [
+      "iptables -A FORWARD -i eth1 -o bond0 -j ACCEPT",
+      "iptables -A FORWARD -i bond0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT",
+      "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE",
+    ]
+  }
+
   provisioner "remote-exec" {
     inline = [
       "chmod +x /root/tink/*.sh /root/tink/deploy/tls/*.sh"
diff --git a/deploy/vagrant/scripts/tinkerbell.sh b/deploy/vagrant/scripts/tinkerbell.sh
index 803ca26..316377e 100644
--- a/deploy/vagrant/scripts/tinkerbell.sh
+++ b/deploy/vagrant/scripts/tinkerbell.sh
@@ -63,6 +63,12 @@ configure_vagrant_user() (
 			--password-stdin "$TINKERBELL_HOST_IP"
 )
 
+setup_nat() (
+	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
+	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+)
+
 main() (
 	export DEBIAN_FRONTEND=noninteractive
 
@@ -91,6 +97,8 @@ main() (
 
 	./setup.sh
 
+    setup_nat
+
 	secure_certs
 
 	configure_vagrant_user
diff --git a/setup.sh b/setup.sh
index 0b637f3..16cbb12 100755
--- a/setup.sh
+++ b/setup.sh
@@ -487,12 +487,6 @@ whats_next() (
 	echo "$BLANK    Follow the steps described in https://tinkerbell.org/examples/hello-world/ to say 'Hello World!' with a workflow."
 )
 
-setup_nat() (
-	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-)
-
 do_setup() (
 	# perform some very rudimentary platform detection
 	lsb_dist=$(get_distribution)
@@ -510,7 +504,6 @@ do_setup() (
 	source "$ENV_FILE"
 
 	setup_networking "$lsb_dist" "$lsb_version"
-	setup_nat
 	setup_osie
 	generate_certificates
 	setup_docker_registry