guide:Nat

From Dgiref
Jump to: navigation, search

Contents

Requirements

Geographylogo.png network address translation (NAT) is a technique that hides an entire address space, usually consisting of private network addresses, behind a single IP address in another, often public address space.

DGI reference installation use this mechanism for communication between internal (worker nodes) and external (service nodes and central services if needed) nets. Such a communication can be a job transfer from worker nodes to gLite CE through GridFTP by using the CE host certificate hostname.

NAT server in the same time is working as Firewall and also as proxy server for worker nodes. Traffic in such a configuration is going from worker nodes to external net only through NAT server and doesn't used the service nodes.

Installation

NAT server used iptables package which is provided by the operating system.

Configuration

nat.sh script

The NAT rules are defined in /usr/local/sbin/nat.sh. 

# cat  /usr/local/sbin/nat.sh 
#!/bin/sh 
echo -e "\n\nSETTING UP IPTABLES NAT SERVER..." 
INTIF="eth0" 
EXTIF="eth1" 
EXTIP="External IP" 
echo "Loading required stateful/NAT kernel modules..." 
/sbin/depmod -a 
/sbin/modprobe ip_tables 
/sbin/modprobe ip_conntrack 
/sbin/modprobe ip_conntrack_ftp 
/sbin/modprobe ip_conntrack_irc 
/sbin/modprobe iptable_nat 
/sbin/modprobe ip_nat_ftp 
echo "    Enabling IP forwarding..." 
echo "1" > /proc/sys/net/ipv4/ip_forward 
echo "1" > /proc/sys/net/ipv4/ip_dynaddr 
echo "    External interface: $EXTIF" 
echo "    External interface IP address is: $EXTIP" 
echo "    Loading nat server rules..." 
iptables -P INPUT ACCEPT 
iptables -F INPUT 
iptables -P OUTPUT ACCEPT 
iptables -F OUTPUT 
iptables -P FORWARD DROP 
iptables -F FORWARD 
iptables -t nat -F 
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT 
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE 
echo -e "    Nat server rule loading complete\n\n"


In /etc/sysconfig/network for all worker nodes assign the internal gateway ip address: 

cat /etc/sysconfig/network 
GATEWAY="gateway  IP" 
Service network restart


init script /etc/init.d/nat

Restart init script automatically by reboot 

/etc/init.d/nat 
chkconfig --add nat
Retrieved from "http://dgiref.d-grid.de/wiki/guide:Nat"
Personal tools