Building the ACM Cluster, Part 9: Setting up masquerade with iptables

Alright! Lets get this started again.  There is one last thing we need to do in order to have networking on the cluster functional.  Right now, the nodes inside the cluster can’t speak to the outside world.  While we set up the head node to be able to speak to things on every interface, we haven’t yet told it how to move traffic from one interface to another.

Making the Gateway

In normal clusters, there are three types of notes - workers, gateways and head nodes.  Workers do whatever task the cluster is intended for.  Head noes manage the workers.  And finally, gateways, which allow the worker nodes to communicate with things outside the cluster.

Gateways are needed because clusters often use IP addresses which are not publicly routeable.  The gateway allows the entire cluster to sit behind one IP address and is in charge of routing traffic properly.  This process is called Network Address Translation.  In many ways, this makes the gateway like your home router.

Anyway, we’re going to be using iptables to implement NAT.  Fortunately, this is a cmmon use for iptables, so it is very simple to set up.  Simply type the following:

# iptables --table nat --append POSTROUTING --out-interface bond0.2 -j MASQUERADE
# iptables --table nat --append POSTROUTING --out-interface bond0.3 -j MASQUERADE
# iptables --append FORWARD --in-interface bond0.def -j ACCEPT

and check that it took.

# iptables -L -t nat<

You should see something like the following:

target     prot opt source               destination         

target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
MASQUERADE  all  --  anywhere             anywhere            
MASQUERADE  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Finally, we need to save these setting so they get recalled on the next boot.  On a CentOS machine this is trivially simple:

# service iptables save

And done.  That was nice and simple.