From 93dc59ba19c7956b8202b53bd19b691cf206b3cf Mon Sep 17 00:00:00 2001
From: smichnow <simon.michnowicz@monash.edu>
Date: Tue, 5 Dec 2017 17:02:28 +1100
Subject: [PATCH] Modified the iptables.j2 file to: - template the public
 interface so NAT Masquerade command goes to right interface - public inteface
 name autogenerated by looking at route to 8.8.8.8 - ACCEPT command for
 private interface modified to use network CIDR. THis is hardcoded to M3 if
 not defined, so no impact on cluster_in_a_box roles. (Monarch and others will
 need to pass it as a parameter) - Not sure if ACCEPT on private interface is
 used, as compute nodes point to mlx0 interface for routing

---
 roles/nat_server/tasks/main.yml        | 12 +++++++++++-
 roles/nat_server/templates/iptables.j2 |  4 ++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/roles/nat_server/tasks/main.yml b/roles/nat_server/tasks/main.yml
index 3d1ecc49..ecc647a7 100644
--- a/roles/nat_server/tasks/main.yml
+++ b/roles/nat_server/tasks/main.yml
@@ -19,7 +19,17 @@
   become: true
   become_user: root
 
-    
+- name: get name of device for public interface
+  # output looks like
+  # 8.8.8.8 via 118.138.254.254 dev eth2  src 118.138.254.185
+  shell: /usr/sbin/ip route get 8.8.8.8  | awk '{print $5;exit }'
+  register: public_device_name
+
+#if not defined, default to M3=vlan 114  ;
+#See https://webnet.its.monash.edu.au/cgi-bin/staff-only/netsee
+- set_fact: PRIVATE_NETWORK_CIDR="172.16.200.0/21"
+  when: PRIVATE_NETWORK_CIDR is undefined
+
 # template ip tables rules or add rules on startup?
 - name: template rules
   template: dest=/etc/sysconfig/iptables src=iptables.j2
diff --git a/roles/nat_server/templates/iptables.j2 b/roles/nat_server/templates/iptables.j2
index 1decc94e..07def7ca 100644
--- a/roles/nat_server/templates/iptables.j2
+++ b/roles/nat_server/templates/iptables.j2
@@ -14,7 +14,7 @@ COMMIT
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
--A POSTROUTING -o eth2 -j MASQUERADE
+-A POSTROUTING -o {{ public_device_name.stdout }}  -j MASQUERADE
 COMMIT
 # Completed on Mon Nov  7 16:34:03 2016
 # Generated by iptables-save v1.4.21 on Mon Nov  7 16:34:03 2016
@@ -28,6 +28,6 @@ COMMIT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -i mlx0 -j ACCEPT
--A FORWARD -i eth1 -j ACCEPT
+-A FORWARD -s {{ PRIVATE_NETWORK_CIDR }} -j ACCEPT
 COMMIT
 # Completed on Mon Nov  7 16:34:03 2016
-- 
GitLab