From 3b40e0c28484b938b9958d72c936a95cbdf2e97e Mon Sep 17 00:00:00 2001 From: Dmitry Bilunov Date: Thu, 31 Mar 2016 11:46:40 +0300 Subject: [PATCH] Move iptables rules to user-defined chains Firewall rules should be managed by Puppet, which will purge current firewall ruleset and replace it by the one provided by a corresponding manifest. We need to move rules introduced by product.sh to separate user-defined chains which are not purged by Puppet so they will be retained after the manifest gets applied. Change-Id: I57e9f58c6bad32b23b179499f0514edf5357bd31 Partial-Bug: #1524750 --- functions/product.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/functions/product.sh b/functions/product.sh index f5fc28a..d7d22d8 100755 --- a/functions/product.sh +++ b/functions/product.sh @@ -221,11 +221,20 @@ enable_outbound_network_for_product_vm() { send "sed -i.orig '/DNS_UPSTREAM/c\\"DNS_UPSTREAM\\": \\"${dns_upstream}\\"' /etc/fuel/astute.yaml\r" expect "$prompt" # enable NAT (MASQUERADE) and forwarding for the public network - send "/sbin/iptables -t nat -A POSTROUTING -s $master_pub_net/24 \! -d $master_pub_net/24 -j MASQUERADE\r" + # User-defined chains are introduced by LP#1524750 + send "/sbin/iptables -t nat -N ext-nat-postrouting &>/dev/null\r" expect "$prompt" - send "/sbin/iptables -I FORWARD 1 --dst $master_pub_net/24 -j ACCEPT\r" + send "/sbin/iptables -t filter -N ext-filter-forward &>/dev/null\r" expect "$prompt" - send "/sbin/iptables -I FORWARD 1 --src $master_pub_net/24 -j ACCEPT\r" + send "/sbin/iptables -t nat -A ext-nat-postrouting -s $master_pub_net/24 \! -d $master_pub_net/24 -j MASQUERADE\r" + expect "$prompt" + send "/sbin/iptables -I ext-filter-forward 1 --dst $master_pub_net/24 -j ACCEPT\r" + expect "$prompt" + send "/sbin/iptables -I ext-filter-forward 1 --src $master_pub_net/24 -j ACCEPT\r" + expect "$prompt" + send "/sbin/iptables -t nat -A POSTROUTING -j ext-nat-postrouting\r" + expect "$prompt" + send "/sbin/iptables -t filter -A FORWARD -j ext-filter-forward\r" expect "$prompt" send "service iptables save &>/dev/null\r" expect "$prompt"