This is section from my web pages Musings/Experiments With A Virtual Data Center
Conectivity between the datacenters and the backbone network is via Linux routers. These routers are tri homed hosts with interfaces to two datacenter networks, eth0 and eth1, and a connection to the backbone network, eth2. The network interface and network number assignments are:
| Interface |
Datacenter
Net1 | Interface |
Datacenter
Net2 | Interface |
Backbone
Network | |
|---|---|---|---|---|---|---|
| Palo Alto | ethX | 172.16.41.0 | ethX | 172.16.42.0 | eth2 | 172.16.32.0 |
| San Francisco | ethX | 172.16.49.0 | ethX | 172.16.50.0 | eth2 | 172.16.32.0 |
| New York | ethX | 172.16.57.0 | ethX | 172.16.58.0 | eth2 | 172.16.32.0 |
The initial configuration of the network interfaces was handlled by the InitClient script I wrote that is run when the Linux router was first cloned from the generic vmhost.
Enabling IP forwarding on the routers
To enable IP forwarding on the routers the /etc/sysctl.conf
file needs to be editied to change the value 0 to 1
in the line:
net.ipv4.ip_forward = 0
This can be done in cfengine with editing command in the editfiles: section of the cfagent configuration file:
We do not want to enable IP forwarding on all the hosts so we need to limit the application of the edit. You do this cfengine using "classes". There are a multitue of classes that cfengine automaically defines including classes based on IP networks the host is connected to and IP addresses used by the host.
The cfengine macro we will used is ipv4_172_16_32. All of the Linux routers are connected to the backbone network so they will have this network class set.
1: editfiles:
2: ipv4_172_16_32::
3: { /etc/sysctl.conf
4: AutoCreate
5: BeginGroupIfNoLineMatching "^net.ipv4.ip_forward =.*"
6: Append "net.ipv4.ip_forward ="
7: EndGroup
8: LocateLineMatching "^net.ipv4.ip_forward =.*"
9: ReplaceLineWith "net.ipv4.ip_forward = 1"
10: }
Line 2 is the class test. The edit will only be made if the host has the class ipv4_172_16_32 set. Line 3 indicates which file to edit. Line 4 will create the sysctl.conf file if it does not exist. Lines 5-7 are used to add a net.ipv4.ip_forward = if the line is not found in the existing sysctl.conf file. Lines 8-9 locate the net.ipv4.ip_forward = line in the file and replaces it with the same line with the value set to 1.
Allowing packet routing in the iptables on the routers
While enabling IP forwarding will allow the kernel to forward packets, the packets will be blocked by the iptables packet filtering rules. In this first pass of configuring the routers we will simply open iptables wide open:# A wide open router configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -i eth2 -j ACCEPT -A FORWARD -i eth0 -o eth2 -j ACCEPT -A FORWARD -i eth1 -o eth2 -j ACCEPT -A FORWARD -i eth2 -o eth0 -j ACCEPT -A FORWARD -i eth2 -o eth1 -j ACCEPT COMMITSince there will be many files that we will want to push from the cfengine master to the routers will will create a routers sub-directory in the /home/masterfiles directory. Files to be pushed to the servers will be stored in their normal path below the routers directory. So the iptables file will be stored in /home/masterfiles/routers/etc/sysconfig/iptables.
The file will be pushed to the routers in the copy: section of the cfagent configuration. Again we test the the class ipv4_172_16_32 and only install the file only on hosts with this class set.
copy:
ipv4_172_16_32::
$(master_dir)/routers/etc/sysconfig/iptables dest=/etc/sysconfig/iptables
type=checksum server=$(policyhost)