cookbooks/mu-utility/recipes/nat.rb
#
# Cookbook Name:: mu-utility
# Recipe:: nat
#
# Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
#
# Licensed under the BSD-3 license (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License in the root of the project or at
#
# http://egt-labs.com/mu/LICENSE.html
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
if platform_family?("windows")
Chef::Log.info "I don't know how to make Windows be a NAT host"
else
$ip_block = "10.0.0.0/16"
if !node['application_attributes']['nat']['private_net'].empty?
$ip_block = node['application_attributes']['nat']['private_net']
end rescue NoMethodError
if platform_family?("rhel")
$ssh_service_name = "sshd"
if node['platform_version'].to_i == 7
# Iptables or FirewallD are not installed by default on CentOS7. Using iptables for backwards compatibility.
# Looks like only the AWS marketplace image doesn't have FirewallD installed by default. Clean installation of CentOS7 minimal does, so removing.
package "firewalld" do
action :remove
end
package "iptables-services"
end
node.default['firewall']['iptables']['defaults']['ruleset'] = {
'*filter' => 1,
':INPUT DROP' => 2,
':FORWARD ACCEPT' => 3, # we'll add a DROP after the other stuff
':OUTPUT ACCEPT_FILTER' => 4,
'COMMIT_FILTER' => 100,
'*nat' => 101,
':OUTPUT ACCEPT_NAT' => 104,
'COMMIT_NAT' => 200
}
firewall_rule "NAT postrouting" do
raw "-A POSTROUTING -o eth0 -s #{$ip_block} -j MASQUERADE"
position 150
end
firewall_rule "NAT stateful connections" do
raw "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT"
position 97
end
firewall_rule "inbound from NAT network" do
raw "-A INPUT -s #{$ip_block} -j ACCEPT"
position 98
end
firewall_rule "NAT forwarding" do
raw "-A FORWARD -s #{$ip_block} -j ACCEPT"
position 98
end
firewall_rule "NAT forwarding drop other traffic" do
raw "-A FORWARD -j DROP"
position 99
end
bash "make sure ip forwarding is enabled for NAT traffic" do
code <<-EOH
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.eth0.send_redirects=0
EOH
end
elsif platform_family?("debian")
$ssh_service_name = "ssh"
# XXX port this to firewall_rule
bash "enable NAT with ufw" do
not_if "grep '^*nat' /etc/ufw/before.rules"
code <<-EOH
sed -i 's/DEFAULT_FORWARD_POLICY=.*/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
echo "net.ipv4.ip_forward=1" >> /etc/ufw/sysctl.conf
echo '*nat' >> /etc/ufw/before.rules
echo ':POSTROUTING ACCEPT [0:0]' >> /etc/ufw/before.rules
echo ':POSTROUTING ACCEPT [0:0]' >> /etc/ufw/before.rules
echo '-A POSTROUTING -s #{$ip_block} -o eth0 -j MASQUERADE' >> /etc/ufw/before.rules
echo 'COMMIT' >> /etc/ufw/before.rules
EOH
end
end
execute "restart sshd" do
command "/sbin/service #{$ssh_service_name} restart"
action :nothing
end
bash "enable SSH tunneling" do
not_if "grep '^PermitTunnel yes' /etc/ssh/sshd_config"
code <<-EOH
echo "" >> /etc/ssh/sshd_config
echo "PermitTunnel yes" >> /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
echo "AllowTcpForwarding yes" >> /etc/ssh/sshd_config
EOH
notifies :run, "execute[restart sshd]", :immediately
end
end