更新natgw.service iptables

deploy_env/group_vars/all.yml

@@ -18,15 +18,14 @@ wannat_global:
         NAT_GW_tunnel_remote_port: 3544
         
     natgw:
-        run_type: 0
-        config_type: 1
         wannat_ip: "192.168.40.161"
         wannat_port: 3545
         natgw_bind_port: 3544
-        device: "eth0"
+        layer2_gateway_device: "eth0"
-        vpn_client_ip_cidr: "10.10.120.0/24"
+        location_compare_type: 0
-        country_location: "private"
+        country_location:  "Set_your_geographic_location"
-        province_location: "private"
+        province_location: "Set_your_geographic_location"
+        ctrl_device_ip_addr: "192.168.40.134"
 
     toroad:
         http_server_listen_port: 8888

roles/natgw/templates/monit_natgw.j2

@@ -1,29 +0,0 @@
-#!/bin/sh
-
-while [ 1 ]; do
-	count=`ls -l core.* |wc -l`
-        if [ $count -lt 3 ]
-        then
-#               echo "set unlimited"
-                ulimit -c unlimited
-        else
-                ulimit -c 0
-        fi
-        PROCESS_NUM=`ps -ef | grep "wannat_natgw" | grep -v "grep" | wc -l` 
-#       echo $PROCESS_NUM
-        if [ $PROCESS_NUM -lt 1 ]
-        then
-		./wannat_natgw &
-		sleep 1
-		ifconfig tun_natgw 192.168.1.254/24 up
-		ifconfig tun_natgw mtu 2000
-		ethtool -K tun_natgw gro off
-		ethtool -K tun_natgw gso off
-		ethtool -K tun_natgw tso off
-				
-		ip rule add from  {{wannat_global.common.vpn_client_ip_cidr}}  table 1001
-		ip route add default via 192.168.1.253 table 1001
-		echo program crashed, restart at `date +"%w %Y/%m/%d, %H:%M:%S"` >> RESTART.log
-        fi
-    sleep 30
-done

roles/natgw/templates/natgw.conf.j2

@@ -2,11 +2,11 @@
 logger_conf=./conf/natgw_log.conf
 logger_path=./log/natgw_log
 #0:vxlan;1:socket_test
-run_type={{wannat_global.natgw.run_type}}
+run_type=0
 #0:nerver;1:LRU
 cache_overflow_elimination_mode=1
 #0:only conpare country;1:compare country and province
-location_compare_type=1
+location_compare_type={{wannat_global.natgw.location_compare_type}}
 country_location={{wannat_global.natgw.country_location}}
 province_location={{wannat_global.natgw.province_location}}
 hash_max_elem_num=100000
@@ -18,7 +18,7 @@ compile_tableinfo_path=./conf/compile_tableinfo.conf
 max_thread_num=10
 json_cfg_file=./conf/natgw_test.json
 #0:maat_json;1:maat_redis
-config_type={{wannat_global.natgw.config_type}}
+config_type=1
 
 [NATGW_CONVERT]
 snat_mask_ip=192.168.50.147
@@ -26,7 +26,7 @@ wannat_ip={{wannat_global.natgw.wannat_ip}}
 wannat_port={{wannat_global.natgw.wannat_port}}
 dnat_mask_ip=10.10.10.10
 natgw_bind_port={{wannat_global.natgw.natgw_bind_port}}
-device={{wannat_global.natgw.device}}
+device={{wannat_global.natgw.layer2_gateway_device}}
 
 
 [NATGW_SNAT]

roles/natgw/templates/natgw.service.j2

@@ -7,7 +7,6 @@ Type=notify
 WorkingDirectory=/opt/tsg/wannat/natgw
 ExecStart=/opt/tsg/wannat/natgw/wannat_natgw
 
-#ExecStartPost=/bin/sh -c "sysctl -w net.ipv4.ip_forward=0"
 #pptp vpn mode must set ipv4.ip_forward=1
 ExecStartPost=/bin/sh -c "sysctl -w net.ipv4.ip_forward=1"
 ExecStartPost=/bin/sh -c "ifconfig tun_natgw 100.64.1.254/24 up"
@@ -21,7 +20,10 @@ ExecStartPost=/bin/sh -c "ethtool -K {{wannat_global.natgw.device}} tso off"
 
 ExecStartPost=/bin/sh -c "ip rule add from {{wannat_global.common.vpn_client_ip_cidr}} table 1001"
 ExecStartPost=/bin/sh -c "ip route add default via 100.64.1.253 table 1001"
-#ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP"
+
+ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP"
+ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type redirect -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP"
+ExecStartPost=/bin/sh -c "iptables -I FORWARD ! -d {{wannat_global.natgw.ctrl_device_ip_addr}}  -j DROP"
 
 TimeoutSec=300s
 RestartSec=10s