In a Kering host environment, typically all hosts in an office network do not have a public IP address, but they are able to access the Internet through a router (gateway) device with an IP address, which requires only NAT and forwarding capabilities. A device with such a function can, of course, be replaced by a single computer.
The following is the simplest model:
Host a (server side):
Nic 1: Intranet IP Address 1
NIC 2: Public IP address 3 or an IP address that can access the Internet 3
Host B (client):
Nic 1: Intranet IP Address 2
Host B wants to access the Internet through host A, only Host B specifies that host A is the gateway, and host a can disguise the package from Host B as the IP on NIC 2 on Host a (SNAT).
As a result, the cloud host environment is the same, as long as the two cloud host inter-network is connected, another cloud host can access the Internet. If a two cloud host network is not available, but can be connected via VPN, can also be implemented.
(a) The following is an example of two hosts accessing the Internet through an intranet IP direct connection.
Host a (server side):
Nic 1:10.20.0.128 (eth0, no internet access)
Nic 2:192.168.1.52 (eth1,internet access)
Host B (client):
Nic 1:10.20.0.129 (eth0, no internet access)
Host a operation:
Turn on the iptables forwarding function:
Sysctl-w net.ipv4.conf.default.accept_source_route=1 sysctl-w net.ipv4.conf.default.rp_filter=0 SYSCT L-w net.ipv4.ip_forward=1
To configure iptables NAT rules:
Modprobe iptable_nat iptables-t nat-a postrouting-s 10.20.0.0/24-o eth1-j Masquerade
Delete iptables deny forwarding rule:
iptables-d forward-j REJECT--reject-with icmp-host-prohibited
Host B Operations:
Configure the default gateway as the NIC for host a 1 address:
Route add-host 10.20.0.128/32 Dev eth0 route add default GW 10.20.0.128 dev eth0
(b) The following is an example of two hosts connecting to the Internet through a OpenVPN connection.
Host A (service side, centos6.x):
Nic 1:10.20.0.128 (eth0, no internet access)
Nic 2:192.168.1.52 (eth1,internet access)
Host B (client, centos6.x):
Nic 1:10.20.0.129 (eth0, no internet access)
Host a operation:
Install OpenVPN (Installation OpenVPN can also refer to "CentOS6.7 installation OpenVPN server"):
yum -y install http://dl.fedoraproject.org/pub/epel/6/x86_64/ Epel-release-6-8.noarch.rpm yum -y install openssl openvpn cd /etc/openvpn git clone https://github.com/openvpn/easy-rsa.git cd /etc/openvpn/ Easy-rsa/ git checkout -b v2.2.1 cp -r easy-rsa/2.0 /etc/openvpn/easy-rsa/ cd /etc/openvpn/ Easy-rsa/2.0/ vim im vars export easy_rsa= " ' pwd ' " export openssl=" OPENSSL export Pkcs11tool= "Pkcs11-tool" export grep= "GREP" Export key_config= ' $EASY _rsa/whichopensslcnf $EASY _rsa ' export key_dir= "$EASY _rsa/keys" echo note: if you run ./clean-all, i will be doing a rm -rf on $KEY _dir export pkcs11_module_path= " Dummy " export pkcs11_pin=" dummy " export key_size =2048 export ca_expire=3650 export key_ expire=3650 export key_country= "CN" export key_province= "Shandong" export key_city= "QingDao" export key_org= "51devops" export key_email= "[email Protected] " export key_ou=" Ops " export key _name= "51devops"
Generate OpenVPN Certificate and key:
SOURCE VARs./clean-all./pkitool--initca./pkitool--server node1.51devops.com./BUILD-DH #/bu Ild-key node1.51devops.com./build-key node2.51devops.com chmod 400/etc/openvpn/easy-rsa/2.0/keys/node1.51devops.c Om.key
Write a configuration file for the OpenVPN server side:
Vim/etc/openvpn/server.conf
port 1194 proto tcp dev tun ca /etc/openvpn/easy-rsa/2.0/keys /ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/node1.51devops.com.crt key /etc/openvpn/easy-rsa/2.0/keys/node1.51devops.com.key dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist clientiplist.txt client-to-client duplicate-cn keepalive 10 120 comp-lzo persist-key persist-tun status /var/log/ Openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log verb 3
Start OpenVPN and configure iptables:
Service OpenVPN start service OpenVPN status ifconfig tun0 cat/var/log/openvpn.log cat/var/log/openv Pn-status.log iptables-i input-p tcp-m State--state new-m TCP--dport 1194-j ACCEPT # iptables-i input-m s Tate--state new-m udp-p UDP--dport 1194-j ACCEPT iptables-save | | Service iptables Status Service iptables Save
To edit the kernel parameters, enable the forwarding feature:
vim/etc/sysctl.conf Net.ipv4.conf.default.accept_source_route = 1 net.ipv4.conf.default.rp_filter = 0 NET.IPV 4.ip_forward = 1
Or:
Sysctl-w net.ipv4.conf.default.accept_source_route=1 sysctl-w net.ipv4.conf.default.rp_filter=0 sysctl-w Net.ip V4.ip_forward=1
Configure Iptables, configure Snat and forward rules:
Modprobe iptable_nat iptables-t nat-a postrouting-s 10.8.0.0/24-o eth1-j Masquerade iptables-d forward-j RE ject--reject-with icmp-host-prohibited service Iptables Save | | Iptables-save >/etc/sysconfig/iptables
Tips: You can also empty iptables all configurations and add allow rules to avoid some reject rules.
The NAT table status can be viewed through the iptables-t nat-nl-v command.
Iptables-t nat-a postrouting-s 10.20.0.0/24-o eth1-j Masquerade
Configuring Host B (Client)
To install the OpenVPN client:
Yum-y Install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm yum-y install OpenSSL OPENVP N
To edit the OpenVPN client configuration file:
vim /etc/openvpn/client.conf client dev tun port 1194 proto tcp remote 10.20.0.128 1194 resolv-retry infinite nobind persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/node2.51devops.com.crt key /etc/openvpn/ node2.51devops.com.key remote-cert-tls server script-security 3 ns-cert-type server Comp-lzo adaptive verb 3 mute 20
Reduce permissions on certificate files, allow only current user access, do not allow other users in the group and other groups to access
chmod 400/etc/openvpn/node2.51devops.com.key Service OpenVPN Restart
To configure routing:
Route add-host 10.8.0.1/32 Dev tun0 route add default GW 10.8.0.1 Dev tun0
To test the connection:
PING-C4 10.8.0.1 ping-c4 114.114.114.114
Before OpenVPN connection, you need to note that the certificate must be configured correctly, time synchronization, software version is best consistent, OpenSSL package upgrade to the latest version.
Tag:linux Network, OpenVPN configuration, iptables SNAT
--end--
This article is from "Communication, My Favorites" blog, please make sure to keep this source http://dgd2010.blog.51cto.com/1539422/1812745
How to configure a cloud host with no public IP address to access the Internet