Shulou(Shulou.com)06/01 Report--

Due to the increasing tension of public network IP resources, many operators now allocate only intranet IP addresses to dial-up Internet users, as shown in the following figure:

Such an operator's intranet IP is unreachable (i.e., dynamic domain names do not work). However, due to business needs, such as virtual local area network networking, office OA system, ERP system, etc., enterprises need public network IP to realize it. There are currently three main solutions for public IP:

Apply for a fixed IP line. Stability and speed are guaranteed, the disadvantage is high cost.

Cloud solutions. Move all business hosts to the cloud and access them directly through the cloud host. The cost is relatively low. The disadvantage is that the cloud host cannot be maintained locally, and the relocation workload is not small.

Cloud host + intranet penetration solution. Through the cloud host as a springboard to achieve intranet penetration, it can not only reuse the existing business system, but also solve the problem of public network IP. The third option has the lowest cost, but is more complex to configure. The third option will be described in detail in this article.

How to realize ××× networking without public IP? In this article, we introduce the virtual local area network networking part. The program we are going to introduce is divided into two steps: 1). A virtual local area network is established between the local local area network and the cloud host. 2). Configure firewall rules for intranet penetration on cloud hosts. The specific steps are as follows:

1. Building a virtual local area network

First of all, install virtual local area network software on cloud host, configure ca certificate, etc. There are already many introductions on network, so I won't repeat them. Below is the final server-side config file.

Then there is client configuration. In the client of WSG, configure the IP and port of the cloud host, username and password, etc. Successful networking can be achieved. As shown in the figure:

2. Firewall rules for intranet penetration

After the virtual local area network is established, the local local area network and the cloud host are located in the same local area network. We configure some firewall rules through iptables to redirect external network access to the interior of the local area network; the principle and port mapping are the same. The order reads as follows:

Each intranet penetration (port mapping) consists of two iptables commands:

DNAT：iptables -t nat -A PREROUTING -p tcp --dport xx -j DNAT --to-dest x.x.x.x

SNAT：iptables -t nat -A POSTROUTING -d x.x.x.x -p tcp --dport xx -j SNAT --to-source y.y.y.y

where x.x is the IP address of the intranet host in the local area network, and y. y.y is the intranet IP segment of the cloud host.

After the above configuration, directly accessing the corresponding port of the cloud host can penetrate into the intranet. This scheme uses iptables to do packet forwarding, does not need to maintain the connection to do reverse proxy, stability and speed are much better than frp reverse proxy. To add rules automatically at boot, just add these two iptables commands to/etc/rc.local.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.