2 # Script to set up one of the nodes as a NAT gateway for all other nodes.
3 # This is used to ensure that all nodes in the cluster can still originate
4 # traffic to the external network even if there are no public addresses
11 [ -z "$CTDB_NATGW_NODES" ] && exit 0
13 # Update capabilities to show whether we support teh NATGW capability or not
14 if [ "$CTDB_NATGW_SLAVE_ONLY" = "yes" ] ; then
15 ctdb setnatgwstate off
21 local _ip=`echo $CTDB_NATGW_PUBLIC_IP | cut -d '/' -f1`
22 local _maskbits=`echo $CTDB_NATGW_PUBLIC_IP | cut -d '/' -f2`
24 [ -z "$CTDB_NATGW_PUBLIC_IFACE" ] || {
25 delete_ip_from_iface $CTDB_NATGW_PUBLIC_IFACE $_ip $_maskbits
27 delete_ip_from_iface lo $_ip 32
29 ip route del 0.0.0.0/0 metric 10 >/dev/null 2>/dev/null
31 # Delete the masquerading setup from a previous iteration where we
33 iptables -D POSTROUTING -t nat -s $CTDB_NATGW_PRIVATE_NETWORK -d ! $CTDB_NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null
35 # remove any iptables rule we may have on this address
36 iptables -D INPUT -p tcp --syn -d _ip/32 -j REJECT 2>/dev/null
41 [ -z "$CTDB_PUBLIC_ADDRESSES" ] && {
42 CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
44 egrep "^$CTDB_NATGW_PUBLIC_IP[ \t]" $CTDB_PUBLIC_ADDRESSES >/dev/null
46 echo ERROR: NATGW configured to use a public address. NATGW must not use a public address.
50 # do not respond to ARPs that are for ip addresses with scope 'host'
51 echo 3 > /proc/sys/net/ipv4/conf/all/arp_ignore
52 # do not send out arp requests from loopback addresses
53 echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
56 recovered|updatenatgw|ipreallocated)
57 MYPNN=`ctdb pnn | cut -d: -f2`
58 NATGWMASTER=`ctdb natgwlist | head -1 | sed -e "s/ .*//"`
59 NATGWIP=`ctdb natgwlist | head -1 | sed -e "s/^[^ ]* *//"`
61 CTDB_NATGW_PUBLIC_IP_HOST=`echo $CTDB_NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"`
63 # block all incoming connections to the natgw address
64 iptables -D INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
65 iptables -I INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
68 if [ "$NATGWMASTER" = "-1" ]; then
69 echo "There is no NATGW master node"
75 if [ "$MYPNN" = "$NATGWMASTER" ]; then
76 # This is the first node, set it up as the NAT GW
77 echo 1 >/proc/sys/net/ipv4/ip_forward
78 iptables -A POSTROUTING -t nat -s $CTDB_NATGW_PRIVATE_NETWORK -d ! $CTDB_NATGW_PRIVATE_NETWORK -j MASQUERADE
80 # block all incoming connections to the natgw address
81 CTDB_NATGW_PUBLIC_IP_HOST=`echo $CTDB_NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"`
82 iptables -D INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
83 iptables -I INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
85 ip addr add $CTDB_NATGW_PUBLIC_IP dev $CTDB_NATGW_PUBLIC_IFACE
86 ip route add 0.0.0.0/0 via $CTDB_NATGW_DEFAULT_GATEWAY >/dev/null 2>/dev/null
88 # This is not the NAT-GW
89 # Assign the public ip to the private interface and make
90 # sure we dont respond to ARPs.
91 # We do this so that the ip address will exist on a
92 # non-loopback interface so that samba may send it along in the
94 ip addr add $CTDB_NATGW_PUBLIC_IP_HOST dev lo scope host
95 ip route add 0.0.0.0/0 via $NATGWIP metric 10
98 # flush our route cache
99 echo 1 > /proc/sys/net/ipv4/route/flush
102 shutdown|stopped|removenatgw)
107 ctdb_standard_event_handler "@"