Don't masquerade traffic inbound from the internet

Our MASQUERADE rule was too general.  Limit it to internally-sourced
traffic.

akanda/router/drivers/iptables.py

@@ -276,13 +276,6 @@ class IPTablesManager(base.Manager):
                     ), ip_version=4
                 ))
 
-        # Add a masquerade catch-all for VMs without floating IPs
-        mgt_if = self.get_management_network(config).interface
-        rules.append(Rule(
-            '-A POSTROUTING ! -o %s -j MASQUERADE' % mgt_if.ifname,
-            ip_version=4
-        ))
-
         return rules
 
     def _build_floating_ips(self, config):
@@ -350,6 +343,13 @@ class IPTablesManager(base.Manager):
                     ), ip_version=4)
                 )
 
+        # Add a masquerade catch-all for VMs without floating IPs
+        mgt_if = self.get_management_network(config).interface
+        rules.append(Rule(
+            '-A PUBLIC_SNAT ! -o %s -j MASQUERADE' % mgt_if.ifname,
+            ip_version=4
+        ))
+
         return rules
 
     def _build_raw_table(self, config):

test/unit/drivers/test_iptables.py

@@ -77,6 +77,7 @@ V4_OUTPUT = [
     ':PUBLIC_SNAT - [0:0]',
     '-A PUBLIC_SNAT -m mark --mark 0xACDA -j RETURN',
     '-A PUBLIC_SNAT -s 192.168.0.2 -j SNAT --to 172.16.77.50',
+    '-A PUBLIC_SNAT ! -o eth0 -j MASQUERADE',
     ':PREROUTING ACCEPT [0:0]',
     ':INPUT ACCEPT [0:0]',
     ':OUTPUT ACCEPT [0:0]',
@@ -85,7 +86,6 @@ V4_OUTPUT = [
     '-A PREROUTING -i eth1 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2',  # noqa
     '-A PREROUTING -i eth2 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2',  # noqa
     '-A PREROUTING -i eth2 -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:9602',  # noqa
-    '-A POSTROUTING ! -o eth0 -j MASQUERADE',
     'COMMIT',
     '*raw',
     ':INPUT - [0:0]',