Applying NAT Rules if CSO Is Deployed Behind NAT
If you have deployed Contrail Service Orchestration (CSO) behind NAT, you must apply NAT rules after you run the setup_assit.sh script on central and regional hosts. The NAT rule set determines the direction of the traffic to be processed.
If you do not apply NAT rules after you install or upgrade CSO, you cannot access the Administration Portal, the Kibana UI, and the Rabbit MQ console.
To apply NAT rules:
- Log in to the installer VM as root.
- Apply NAT rules for central and regional NAT servers.
To quickly apply the NAT rules for central NAT servers:
Copy the following commands and paste them into a text file.
iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address--dport 443 -j DNAT --to-destination northbound-virtual-private-ip-address:443iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address--dport 35357 -j DNAT --to-destination northbound-virtual-private-ip-address:35357iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address--dport 5601 -j DNAT --to-destination northbound-virtual-private-ip-address:5601iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address --dport 9200 -j DNAT --to-destination northbound-virtual-private-ip-address:9200iptables -t nat -A PREROUTING -p tcp -d central-nat-server-public-ip-address --dport 1947 -j DNAT --to-destination northbound-virtual-private-ip-address:1947You must specify IP addresses in the command to match your network configuration.
Copy and paste the updated commands into the CLI.
To quickly apply the NAT rules for regional NAT servers:
Copy the following commands and paste them into a text file.
iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 5601 -d northbound-virtual-private-ip-address -j SNAT --to-source regional-management-interface-ip-addressiptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address --dport 5601 -j DNAT --to-destination northbound-virtual-private-ip-address:5601iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 7804 -d northbound-virtual-private-ip-address -j SNAT --to-source regional-management-interface-ip-addressiptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address --dport 7804 -j DNAT --to-destination northbound-virtual-private-ip-address:7804iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 3514 -d southbound-virtual-private-ip-address -j SNAT --to-source regional-management-interface-ip-addressiptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address--dport 3514 -j DNAT --to-destination southbound-virtual-private-ip-address:3514iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 514 -d southbound-virtual-private-ip-address-j SNAT --to-source regional-management-interface-ip-addressiptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address --dport 514 -j DNAT --to-destination southbound-virtual-private-ip-address:514iptables -t nat -A POSTROUTING -o virbr0 -p tcp --dport 443 -d southbound-virtual-private-ip-address -j SNAT --to-source regional-management-interface-ip-addressiptables -t nat -A PREROUTING -p tcp -d regional-nat-server-public-ip-address --dport 443 -j DNAT --to-destination northbound-virtual-private-ip-address:443iptables -t nat -A PREROUTING -d regional-nat-server-public-ip-address/32 -p tcp -m tcp --dport 2216 -j DNAT --to-destination southbound-virtual-private-ip-address:2216iptables -t nat -A POSTROUTING -d southbound-virtual-private-ip-address/32 -o virbr0 -p tcp -m tcp --dport 2216 -j SNAT --to-source regional-management-interface-ip-addressYou must specify IP addresses in the commands to match your network configuration.
Copy and paste the updated commands into the CLI.
The NAT rules are applied for central and regional NAT servers, and you can access Administration Portal, Kibana UI, and Rabbit MQ console.