31 lines
1.4 KiB
Plaintext
31 lines
1.4 KiB
Plaintext
|
#!/bin/bash
|
||
|
|
||
|
echo 'Enabling IP forwarding'
|
||
|
sed '/net.ipv4.ip_forward=1/s/^#//g' -i /etc/sysctl.conf &&
|
||
|
sysctl -p /etc/sysctl.conf &&
|
||
|
/etc/init.d/procps restart
|
||
|
|
||
|
echo 'Setting Routes'
|
||
|
ip route add ${landing-untrusted-other-region} via ${gateway-untrusted} dev ens4
|
||
|
ip route add ${landing-trusted-other-region} via ${gateway-trusted} dev ens5
|
||
|
ip route add ${dev-default-ew1-cidr} via ${gateway-trusted} dev ens5
|
||
|
ip route add ${dev-default-ew4-cidr} via ${gateway-trusted} dev ens5
|
||
|
ip route add ${prod-default-ew1-cidr} via ${gateway-trusted} dev ens5
|
||
|
ip route add ${prod-default-ew4-cidr} via ${gateway-trusted} dev ens5
|
||
|
ip route add ${onprem-main-cidr} via ${gateway-trusted} dev ens5
|
||
|
|
||
|
echo 'Adding PBR rules to answer HCs also from the secondary nic'
|
||
|
grep -qxF '200 hc' /etc/iproute2/rt_tables || echo '200 hc' >> /etc/iproute2/rt_tables
|
||
|
ip_addr_ens5=$(ip route ls table local | awk '/ens5 proto 66 scope host/ {print $2}')
|
||
|
while [ -z $ip_addr_ens5 ]; do
|
||
|
echo 'Waiting for networking stack to be ready'
|
||
|
sleep 2
|
||
|
ip_addr_ens5=$(ip route ls table local | awk '/ens5 proto 66 scope host/ {print $2}')
|
||
|
done
|
||
|
ip rule add from $ip_addr_ens5 lookup hc
|
||
|
ip route add default via ${gateway-trusted} dev ens5 table hc
|
||
|
|
||
|
echo 'Setting NAT masquerade (for Internet connectivity)'
|
||
|
iptables --append FORWARD --in-interface ens5 -j ACCEPT
|
||
|
iptables --table nat --append POSTROUTING --out-interface ens4 -j MASQUERADE
|