Modified the iptables.j2 file to:

- template the public interface so NAT Masquerade command goes to right interface
- public inteface name autogenerated by looking at route to 8.8.8.8
- ACCEPT command for private interface modified to use network CIDR. THis is hardcoded to M3 if not defined, so no impact on cluster_in_a_box roles. (Monarch and others will need to pass it as a parameter)
- Not sure if ACCEPT on private interface is used, as compute nodes point to mlx0 interface for routing

roles/nat_server/tasks/main.yml

@@ -19,7 +19,17 @@
   become: true
   become_user: root
 
-    
+- name: get name of device for public interface
+  # output looks like
+  # 8.8.8.8 via 118.138.254.254 dev eth2  src 118.138.254.185
+  shell: /usr/sbin/ip route get 8.8.8.8  | awk '{print $5;exit }'
+  register: public_device_name
+
+#if not defined, default to M3=vlan 114  ;
+#See https://webnet.its.monash.edu.au/cgi-bin/staff-only/netsee
+- set_fact: PRIVATE_NETWORK_CIDR="172.16.200.0/21"
+  when: PRIVATE_NETWORK_CIDR is undefined
+
 # template ip tables rules or add rules on startup?
 - name: template rules
   template: dest=/etc/sysconfig/iptables src=iptables.j2

roles/nat_server/templates/iptables.j2

@@ -14,7 +14,7 @@ COMMIT
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
--A POSTROUTING -o eth2 -j MASQUERADE
+-A POSTROUTING -o {{ public_device_name.stdout }}  -j MASQUERADE
 COMMIT
 # Completed on Mon Nov  7 16:34:03 2016
 # Generated by iptables-save v1.4.21 on Mon Nov  7 16:34:03 2016
@@ -28,6 +28,6 @@ COMMIT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -i mlx0 -j ACCEPT
--A FORWARD -i eth1 -j ACCEPT
+-A FORWARD -s {{ PRIVATE_NETWORK_CIDR }} -j ACCEPT
 COMMIT
 # Completed on Mon Nov  7 16:34:03 2016