I am starting to configure a pretty small cluster with 1 access node (head) and 2 nodes for calculation (node). The problem is that for configuring the node I need internet access for them. So I need to configure the head as a gateway. For my user I already have ssh with no password working.
The last 2 lines are possibly not needed depending on the policy of the table. If the policy is ACCEPT, then these 2 lines do nothing.
I also wouldn’t do it this way. You shouldn’t filter outbound traffic at all with -m state - just omit that line at first until you are ready to filter traffic much more close.
Try without these 2 FORWARD rules, then grow your rules from there.
If your head+nodes are entirely internal to your network, all you need is to MASQUERADE anyway. (Although if the head node has a static IP on enp4s0 you should prefer SNAT over MASQUERADE).
Use the iptables-save.service and iptables-restore.service units. There are other ways, but that one is available by default. (hint: you’d run sudo systemctl start iptables-save.service once, and then systemctl enable iptables-restore.service so that on each boot, the saved rules get restored)
If they work they work, right? Yes, you can use that as an effective toggle.