How to configure a cloud host with no public IP address to access the Internet

In a Kering host environment, typically all hosts in an office network do not have a public IP address, but they are able to access the Internet through a router (gateway) device with an IP address, which requires only NAT and forwarding capabilities. A device with such a function can, of course, be replaced by a single computer.

The following is the simplest model:

Host a (server side):

Nic 1: Intranet IP Address 1

NIC 2: Public IP address 3 or an IP address that can access the Internet 3

Host B (client):

Nic 1: Intranet IP Address 2

Host B wants to access the Internet through host A, only Host B specifies that host A is the gateway, and host a can disguise the package from Host B as the IP on NIC 2 on Host a (SNAT).

As a result, the cloud host environment is the same, as long as the two cloud host inter-network is connected, another cloud host can access the Internet. If a two cloud host network is not available, but can be connected via VPN, can also be implemented.

(a) The following is an example of two hosts accessing the Internet through an intranet IP direct connection.

Host a (server side):

Nic 1:10.20.0.128 (eth0, no internet access)

Nic 2:192.168.1.52 (eth1,internet access)

Host B (client):

Nic 1:10.20.0.129 (eth0, no internet access)

Host a operation:

Turn on the iptables forwarding function:

Sysctl-w net.ipv4.conf.default.accept_source_route=1 sysctl-w net.ipv4.conf.default.rp_filter=0 SYSCT L-w net.ipv4.ip_forward=1

To configure iptables NAT rules:

Modprobe iptable_nat iptables-t nat-a postrouting-s 10.20.0.0/24-o eth1-j Masquerade

Delete iptables deny forwarding rule:

iptables-d forward-j REJECT--reject-with icmp-host-prohibited

Host B Operations:

Configure the default gateway as the NIC for host a 1 address:

Route add-host 10.20.0.128/32 Dev eth0 route add default GW 10.20.0.128 dev eth0

(b) The following is an example of two hosts connecting to the Internet through a OpenVPN connection.

Host A (service side, centos6.x):

Nic 1:10.20.0.128 (eth0, no internet access)

Nic 2:192.168.1.52 (eth1,internet access)

Host B (client, centos6.x):

Nic 1:10.20.0.129 (eth0, no internet access)

Host a operation:

     Install OpenVPN (Installation OpenVPN can also refer to "CentOS6.7 installation OpenVPN server"):

    yum -y install http://dl.fedoraproject.org/pub/epel/6/x86_64/ Epel-release-6-8.noarch.rpm         yum -y install  openssl openvpn     cd /etc/openvpn     git  clone https://github.com/openvpn/easy-rsa.git     cd /etc/openvpn/ Easy-rsa/     git checkout -b v2.2.1     cp  -r easy-rsa/2.0 /etc/openvpn/easy-rsa/     cd /etc/openvpn/ Easy-rsa/2.0/     vim im vars    export easy_rsa= " ' pwd ' "     export openssl=" OPENSSL      export  Pkcs11tool= "Pkcs11-tool"      export grep= "GREP"       Export key_config= ' $EASY _rsa/whichopensslcnf  $EASY _rsa '      export key_dir= "$EASY _rsa/keys"       echo note: if you run ./clean-all, i will be doing  a rm -rf on  $KEY _dir     export pkcs11_module_path= " Dummy "    export pkcs11_pin=" dummy "     export key_size =2048     export ca_expire=3650     export key_ expire=3650     export key_country= "CN"      export  key_province= "Shandong"      export key_city= "QingDao"       export key_org= "51devops"      export key_email= "[email  Protected] "     export key_ou=" Ops "     export key _name= "51devops"

Generate OpenVPN Certificate and key:

SOURCE VARs./clean-all./pkitool--initca./pkitool--server node1.51devops.com./BUILD-DH #/bu Ild-key node1.51devops.com./build-key node2.51devops.com chmod 400/etc/openvpn/easy-rsa/2.0/keys/node1.51devops.c Om.key

Write a configuration file for the OpenVPN server side:

Vim/etc/openvpn/server.conf

    port 1194         proto tcp      dev tun     ca /etc/openvpn/easy-rsa/2.0/keys /ca.crt     cert /etc/openvpn/easy-rsa/2.0/keys/node1.51devops.com.crt      key /etc/openvpn/easy-rsa/2.0/keys/node1.51devops.com.key      dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem     server 10.8.0.0  255.255.255.0     ifconfig-pool-persist clientiplist.txt      client-to-client     duplicate-cn        keepalive 10 120     comp-lzo      persist-key     persist-tun     status /var/log/ Openvpn-status.log     log         /var/log/openvpn.log      log-append  /var/log/openvpn.log     verb 3

Start OpenVPN and configure iptables:

Service OpenVPN start service OpenVPN status ifconfig tun0 cat/var/log/openvpn.log cat/var/log/openv Pn-status.log iptables-i input-p tcp-m State--state new-m TCP--dport 1194-j ACCEPT # iptables-i input-m s Tate--state new-m udp-p UDP--dport 1194-j ACCEPT iptables-save | | Service iptables Status Service iptables Save

To edit the kernel parameters, enable the forwarding feature:

vim/etc/sysctl.conf Net.ipv4.conf.default.accept_source_route = 1 net.ipv4.conf.default.rp_filter = 0 NET.IPV 4.ip_forward = 1

Or:

Sysctl-w net.ipv4.conf.default.accept_source_route=1 sysctl-w net.ipv4.conf.default.rp_filter=0 sysctl-w Net.ip V4.ip_forward=1

Configure Iptables, configure Snat and forward rules:

Modprobe iptable_nat iptables-t nat-a postrouting-s 10.8.0.0/24-o eth1-j Masquerade iptables-d forward-j RE ject--reject-with icmp-host-prohibited service Iptables Save | | Iptables-save >/etc/sysconfig/iptables

Tips: You can also empty iptables all configurations and add allow rules to avoid some reject rules.

The NAT table status can be viewed through the iptables-t nat-nl-v command.

Iptables-t nat-a postrouting-s 10.20.0.0/24-o eth1-j Masquerade

Configuring Host B (Client)

To install the OpenVPN client:

Yum-y Install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm yum-y install OpenSSL OPENVP N

To edit the OpenVPN client configuration file:

    vim /etc/openvpn/client.conf      client     dev tun     port 1194      proto tcp     remote 10.20.0.128 1194      resolv-retry infinite     nobind      persist-tun     ca /etc/openvpn/ca.crt      cert /etc/openvpn/node2.51devops.com.crt     key /etc/openvpn/ node2.51devops.com.key     remote-cert-tls server      script-security 3     ns-cert-type server      Comp-lzo adaptive     verb 3     mute 20 

Reduce permissions on certificate files, allow only current user access, do not allow other users in the group and other groups to access

chmod 400/etc/openvpn/node2.51devops.com.key Service OpenVPN Restart

To configure routing:

Route add-host 10.8.0.1/32 Dev tun0 route add default GW 10.8.0.1 Dev tun0

To test the connection:

PING-C4 10.8.0.1 ping-c4 114.114.114.114

Before OpenVPN connection, you need to note that the certificate must be configured correctly, time synchronization, software version is best consistent, OpenSSL package upgrade to the latest version.

Tag:linux Network, OpenVPN configuration, iptables SNAT

--end--

This article is from "Communication, My Favorites" blog, please make sure to keep this source http://dgd2010.blog.51cto.com/1539422/1812745

How to configure a cloud host with no public IP address to access the Internet