[SOLVED] Configure Gateway

rfkspada · December 18, 2019, 7:12pm

Dear all,

I am starting to configure a pretty small cluster with 1 access node (head) and 2 nodes for calculation (node). The problem is that for configuring the node I need internet access for them. So I need to configure the head as a gateway. For my user I already have ssh with no password working.

For the head side:

enp3s0 Address: 192.168.0.1/24 -> Cluster network
Gateway: 192.168.0.1
enp4s0 Automatic IP Address ->Internet access

from “cat /proc/sys/net/ipv4/ip_forward” the answer is “1”

I configured iptables as:

sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
sudo iptables -A FORWARD -i enp4s0 -o enp3s0 -j ACCEPT
sudo iptables -A FORWARD -i enp3s0 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

And the node side:

eno1 Address: 192.168.0.2/24 -> Cluster network
Gateway: 192.168.0.1
DNS servers: XX.XX.XX.XX -> internet access from head node
and 192.168.0.1

It should be working, right? What am I missing?

I am using nmtui to configure the network.

Cheers,

Rene

PS2: I need internet access to install bundles. Is there other way to do this?

ahkok · December 18, 2019, 8:14pm

The last 2 lines are possibly not needed depending on the policy of the table. If the policy is ACCEPT, then these 2 lines do nothing.

I also wouldn’t do it this way. You shouldn’t filter outbound traffic at all with -m state - just omit that line at first until you are ready to filter traffic much more close.

Try without these 2 FORWARD rules, then grow your rules from there.

If your head+nodes are entirely internal to your network, all you need is to MASQUERADE anyway. (Although if the head node has a static IP on enp4s0 you should prefer SNAT over MASQUERADE).

rfkspada · December 19, 2019, 1:02pm

@ahkok, thank you very much for your answer.

The rules I used for iptables were:

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE

Also there was a typo error in the client side.

Everything is working as desired now.

As you could see, I am a newbie abou iptables. So I have two questions.

1- These rules aren’t permanent. How do I make it?

2- Is it safe to make these rules permanent and control the internet access only changing with the /proc/sys/net/ipv4/ip_forward to 0 or 1?

I will set this issue as solved anyways.

Thanks in advance.

ahkok · December 19, 2019, 6:04pm

Use the iptables-save.service and iptables-restore.service units. There are other ways, but that one is available by default. (hint: you’d run sudo systemctl start iptables-save.service once, and then systemctl enable iptables-restore.service so that on each boot, the saved rules get restored)

If they work they work, right? Yes, you can use that as an effective toggle.