|
56 | 56 | sudo iptables -A POSTROUTING -t nat -o $iface -j MASQUERADE |
57 | 57 | sudo sysctl -w net.ipv4.conf.all.forwarding=1 |
58 | 58 |
|
59 | | -# Configure port forwarding from the hypervisor to the Horizon GUI on the |
60 | | -# controller. |
61 | | -sudo iptables -A FORWARD -i $iface -o braio -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
62 | | -sudo iptables -A FORWARD -i braio -o $iface -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
| 59 | +# Create tables if not existing |
| 60 | +sudo nft add table inet filter 2>/dev/null |
| 61 | +sudo nft add table ip nat 2>/dev/null |
| 62 | + |
| 63 | +# Create chains if not existing |
| 64 | +sudo nft add chain inet filter forward '{ type filter hook forward priority 0; }' 2>/dev/null |
| 65 | +sudo nft add chain ip nat prerouting '{ type nat hook prerouting priority -100; }' 2>/dev/null |
| 66 | +sudo nft add chain ip nat postrouting '{ type nat hook postrouting priority 100; }' 2>/dev/null |
| 67 | + |
| 68 | +# ----- FILTER RULES ----- |
| 69 | + |
| 70 | +# Allow established/related traffic: $iface → braio |
| 71 | +sudo nft add rule inet filter forward iif "$iface" oif "$braio" ct state established,related accept |
| 72 | + |
| 73 | +# Allow established/related traffic: braio → $iface |
| 74 | +sudo nft add rule inet filter forward iif "$braio" oif "$iface" ct state established,related accept |
| 75 | + |
| 76 | +# ----- PORT-SPECIFIC RULES ----- |
| 77 | + |
63 | 78 | for port in $forwarded_ports; do |
64 | | - # Allow new connections. |
65 | | - sudo iptables -A FORWARD -i $iface -o braio -p tcp --syn --dport $port -m conntrack --ctstate NEW -j ACCEPT |
66 | | - # Destination NAT. |
67 | | - sudo iptables -t nat -A PREROUTING -i $iface -p tcp --dport $port -j DNAT --to-destination $controller_vip |
68 | | - # Source NAT. |
69 | | - sudo iptables -t nat -A POSTROUTING -o braio -p tcp --dport $port -d $controller_vip -j SNAT --to-source $seed_hv_private_ip |
| 79 | + # Allow NEW TCP connections from $iface → braio on this port |
| 80 | + sudo nft add rule inet filter forward \ |
| 81 | + iif "$iface" oif "$braio" tcp dport "$port" ct state new accept |
| 82 | + |
| 83 | + # DNAT: incoming traffic on $iface to controller VIP |
| 84 | + sudo nft add rule ip nat prerouting \ |
| 85 | + iif "$iface" tcp dport "$port" dnat to "$controller_vip" |
| 86 | + |
| 87 | + # SNAT: return traffic going to controller VIP on braio |
| 88 | + sudo nft add rule ip nat postrouting \ |
| 89 | + oif "$braio" ip daddr "$controller_vip" tcp dport "$port" snat to "$seed_hv_private_ip" |
70 | 90 | done |
71 | 91 |
|
72 | 92 | # Configure an IP on the 'public' network to allow access to/from the cloud. |
|
0 commit comments