Shulou(Shulou.com)06/01 Report--

Apart from the CVM environment, usually all the hosts in an office network do not have a public network IP address, but they can access the Internet through a router (gateway) device with an IP address, which only needs to have NAT and forwarding functions. A device with such a function can of course be replaced by a computer.

Here is the simplest model:

Host A (server):

Nic 1: intranet IP address 1

Nic 2: public network IP address 3 or an IP address 3 that can access Internet

Host B (client):

Nic 1: intranet IP address 2

Host B wants to access Internet through host A, as long as host B specifies host An as the gateway, and host A can disguise the packet from host B as the IP on the network card 2 on host A (sNAT).

Therefore, the same is true of the CVM environment, as long as the private network between the two CVMs is connected and the other CVM can access the Internet. If the private network of two CVMs is not connected, it can be connected through * *, or it can be achieved.

(1) the following is an example of simulated access to Internet between two hosts through a direct connection to the private network IP.

Host A (server):

Nic 1VR 10.20.0.128 (eth0, no Internet access)

Nic 2VR 192.168.1.52 (eth2,Internet access)

Host B (client):

Nic 1VR 10.20.0.129 (eth0, no Internet access)

Host An operation:

Enable iptables forwarding:

Sysctl-w net.ipv4.conf.default.accept_source_route=1 sysctl-w net.ipv4.conf.default.rp_filter=0 sysctl-w net.ipv4.ip_forward=1

Configure iptables NAT rules:

Modprobe iptable_nat iptables-t nat-A POSTROUTING-s 10.20.0.0 pound 24-o eth2-j MASQUERADE

Delete the iptables deny forwarding rule:

Iptables-D FORWARD-j REJECT-- reject-with icmp-host-prohibited

Host B operation:

Configure the default gateway as the Nic 1 address of host A:

Route add-host 10.20.0.128Compact 32 dev eth0 route add default gw 10.20.0.128 dev eth0

(2) the following is an example of simulated access to Internet between two hosts through Open × × connection.

Host A (server, CentOS6.x):

Nic 1VR 10.20.0.128 (eth0, no Internet access)

Nic 2VR 192.168.1.52 (eth2,Internet access)

Host B (client, CentOS6.x):

Nic 1VR 10.20.0.129 (eth0, no Internet access)

Host An operation:

Install Open × × (install Open × × × can also refer to "CentOS6.7 install Open × × server"):

Yum-y install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm yum-y install openssl open*** cd / etc/open*** git clone https://github.com/Open × × × / easy-rsa.git cd / etc/open***/easy-rsa/ git checkout-b v2.2.1 cp-r easy-rsa/2.0 / etc/open* * * / easy-rsa/ cd / etc/open***/easy-rsa/2.0/ vim im vars export EASY_RSA= "`pwd`" export OPENSSL= "openssl" export PKCS11TOOL= "pkcs11-tool" export GREP= "grep" export KEY_CONFIG= `$EASY_RSA/whichopensslcnf $EASY_ RSA` export KEY_DIR= "$EASY_RSA/keys" echo NOTE: If you run. / clean-all I will be doing a rm-rf on $KEY_DIR export PKCS11_MODULE_PATH= "dummy" export PKCS11_PIN= "dummy" export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY= "CN" export KEY_PROVINCE= "export KEY_CITY=" QingDao "export KEY_ORG=" 51devops "export KEY_EMAIL=" uberurey_ups@163.com "export KEY_OU=" Ops "export KEY_NAME=" 51devops "

Generate Open * * certificate and key:

Source vars. / clean-all. / pkitool-- initca. / pkitool-- server node1.51devops.com. / build-dh #. / build-key node1.51devops.com. / build-key node2.51devops.com chmod 400 / etc/open***/easy-rsa/2.0/keys/node1.51devops.com.key

Write a configuration file for Open × × Server:

Vim / etc/open***/server.conf

Port 1194 proto tcp dev tun ca / etc/open***/easy-rsa/2.0/keys/ca.crt cert / etc/open***/easy-rsa/2.0/keys/node1.51devops.com.crt key / etc/open***/easy-rsa/2.0/keys/node1.51devops.com.key dh / etc/open***/easy-rsa/2.0/keys/dh3048.pem server 10 .8.0.0 255.255.255.0 ifconfig-pool-persist clientiplist.txt client-to-client duplicate-cn keepalive 10 120 comp-lzo persist-key persist-tun status / var/log/open***-status.log log/ var/log/open***.log log-append / var/log/open***.log verb 3

Start Open × × and configure iptables:

Service open*** start service open*** status ifconfig tun0 cat / var/log/open***.log cat / var/log/open***-status.log iptables- I INPUT-p tcp-m state-state NEW-m tcp-dport 1194-j ACCEPT # iptables- I INPUT-m state-- state NEW-m udp-p udp-- dport 1194-j ACCEPT iptables-save | | service iptables status service iptables save

Edit kernel parameters to enable forwarding:

Vim / etc/sysctl.conf net.ipv4.conf.default.accept_source_route = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.ip_forward = 1

Or:

Sysctl-w net.ipv4.conf.default.accept_source_route=1 sysctl-w net.ipv4.conf.default.rp_filter=0 sysctl-w net.ipv4.ip_forward=1

Configure iptables, configure sNAT and FORWARD rules:

Modprobe iptable_nat iptables- t nat-A POSTROUTING-s 10.8.0.0 MASQUERADE iptables- 24-o eth2-j MASQUERADE iptables- D FORWARD-j REJECT-- reject-with icmp-host-prohibited service iptables save | | iptables-save > / etc/sysconfig/iptables

Tips: you can also empty all iptables configurations and add allow rules to avoid some reject rules.

You can view the status of the nat table through the iptables-t nat-nL-v command.

Iptables-t nat-A POSTROUTING-s 10.20.0.0 pound 24-o eth2-j MASQUERADE

Configure Host B (client)

Install Open × × client:

Yum-y install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm yum-y install openssl open***

Edit the Open × × Client configuration file:

Vim / etc/open***/client.conf client dev tun port 1194 proto tcp remote 10.20.0.128 1194 resolv-retry infinite nobind persist-tun ca / etc/open***/ca.crt cert / etc/open***/node2.51devops.com.crt key / etc/open***/node2.51devops.com.key remote-cert-tls server script-security 3 ns- Cert-type server comp-lzo adaptive verb 3 mute 20

Reduce the permissions of the certificate file to allow only the current user access, not other users in the group and other groups

Chmod 400 / etc/open***/node2.51devops.com.key service open*** restart

Configure routing:

Route add-host 10.8.0.1 route add 32 dev tun0 route add default gw 10.8.0.1 dev tun0

Test the connection:

Ping-c4 10.8.0.1 ping-c4 114.114.114.114

Before Open × × connect, you need to note that the certificate must be configured correctly, the time is synchronized, the software version is best kept consistent, and the OpenSSL package is upgraded to the latest version.

Tag:Linux network, Open × × configuration, iptables sNAT

-- end--

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.