From d6b9d5ee026d3ae4fd2ae970ec7d70dc32c158a2 Mon Sep 17 00:00:00 2001
From: Jeremy Hanmer <jeremy@fishbiscuits.org>
Date: Thu, 30 Oct 2014 09:50:34 -0700
Subject: [PATCH] Don't masquerade traffic inbound from the internet

Our MASQUERADE rule was too general.  Limit it to internally-sourced
traffic.
---
 akanda/router/drivers/iptables.py  | 14 +++++++-------
 test/unit/drivers/test_iptables.py |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/akanda/router/drivers/iptables.py b/akanda/router/drivers/iptables.py
index 5163ecb..6803706 100755
--- a/akanda/router/drivers/iptables.py
+++ b/akanda/router/drivers/iptables.py
@@ -276,13 +276,6 @@ class IPTablesManager(base.Manager):
                     ), ip_version=4
                 ))
 
-        # Add a masquerade catch-all for VMs without floating IPs
-        mgt_if = self.get_management_network(config).interface
-        rules.append(Rule(
-            '-A POSTROUTING ! -o %s -j MASQUERADE' % mgt_if.ifname,
-            ip_version=4
-        ))
-
         return rules
 
     def _build_floating_ips(self, config):
@@ -350,6 +343,13 @@ class IPTablesManager(base.Manager):
                     ), ip_version=4)
                 )
 
+        # Add a masquerade catch-all for VMs without floating IPs
+        mgt_if = self.get_management_network(config).interface
+        rules.append(Rule(
+            '-A PUBLIC_SNAT ! -o %s -j MASQUERADE' % mgt_if.ifname,
+            ip_version=4
+        ))
+
         return rules
 
     def _build_raw_table(self, config):
diff --git a/test/unit/drivers/test_iptables.py b/test/unit/drivers/test_iptables.py
index e7eea3a..8f36802 100644
--- a/test/unit/drivers/test_iptables.py
+++ b/test/unit/drivers/test_iptables.py
@@ -77,6 +77,7 @@ V4_OUTPUT = [
     ':PUBLIC_SNAT - [0:0]',
     '-A PUBLIC_SNAT -m mark --mark 0xACDA -j RETURN',
     '-A PUBLIC_SNAT -s 192.168.0.2 -j SNAT --to 172.16.77.50',
+    '-A PUBLIC_SNAT ! -o eth0 -j MASQUERADE',
     ':PREROUTING ACCEPT [0:0]',
     ':INPUT ACCEPT [0:0]',
     ':OUTPUT ACCEPT [0:0]',
@@ -85,7 +86,6 @@ V4_OUTPUT = [
     '-A PREROUTING -i eth1 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2',  # noqa
     '-A PREROUTING -i eth2 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2',  # noqa
     '-A PREROUTING -i eth2 -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:9602',  # noqa
-    '-A POSTROUTING ! -o eth0 -j MASQUERADE',
     'COMMIT',
     '*raw',
     ':INPUT - [0:0]',