SHOREWAL DNAT port-forwarding proxy

Overview

This proxy mechanism relies on dynamically manipulating firewall rules on a Linux host running Shorewall firewall management framework to install and remove firewall rules to remap internal IP addresses and ports of VMs (typically port 22 - SSH) to the publicly addressable IP address of the firewall host and a different port address. The additional scripts developed for Shorewall are independent of ORCA, however they help bridge the gap between Shorewall and ORCA handlers by providing a simple API that lets the user (remotely) add and remove DNAT port-forwarding rules for VMs.

Installation

  • Install and configure Shorewall on the NAT host.
  • Download additional Shorewall-DNAT scripts (grab appropriate tag)
    $ svn co https://geni-orca.renci.org/svn/orca-external/substrate-proxies/shorewall-dnat/tags/some-tag shorewall-dnat
    
  • Follow INSTALL installation instructions in the release.

Running

Two modes are possible:

  • server-based - ensures that all commands are serialized and executed in order of arrival, but requires running a server on the NAT host
  • command-based - serialization is guaranteed but not the ordering of the commands

See README file in the release for more information.

ORCA integration

Once installed and tested, details of the installation should be configured in ec2.site.properties file. Read this document for details.

Pitfalls

Be sure to allow tomcat connections (if ORCA tomcat is also running on the proxy host). Append the following to /etc/shorewall/rules:

# ORCA tomcat
ACCEPT          net             $FW             tcp     11080
ACCEPT          loc             $FW             tcp     11080