To ensure platform security and conserve EIPs, EIPs are assigned only to specified ECSs. ECSs without EIPs cannot access the Internet directly. If these ECSs need to access the Internet (for example, to perform a software upgrade or install a patch), you can select an ECS with an EIP bound to function as a proxy ECS, providing an access channel for these ECS.
NAT Gateway is recommended, which provides both the SNAT and DNAT functions for your ECSs in a VPC and allows the ECSs to access or provide services accessible from the Internet.
In this example, the proxy ECS runs CentOS 6.5.
By default, the source/destination check function is enabled. When this function is enabled, the system checks whether source IP addresses contained in the packets sent by ECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs to send the packets. This mechanism prevents packet spoofing, thereby improving system security. However, this mechanism prevents the packet sender from receiving returned packets. Therefore, disable the source/destination check.
For more details, see Login Overview.
ping www.google.com
The proxy ECS can access the Internet if information similar to the following is displayed:
64 bytes from 220.181.111.148: icmp_seq=1 ttl=51 time=9.34 ms 64 bytes from 220.181.111.148: icmp_seq=2 ttl=51 time=9.11 ms 64 bytes from 220.181.111.148: icmp_seq=3 ttl=51 time=8.99 ms
cat /proc/sys/net/ipv4/ip_forward
Set the net.ipv4.ip_forward value to 1.
If the sysctl.conf file does not contain the net.ipv4.ip_forward parameter, run the following command to add it:
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
The system saves the configurations and exits the vi editor.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Running iptables -P INPUT ACCEPT will set default INPUT policy to ACCEPT, which poses security risks. You are advised to set security group rules to restrict inbound access.
iptables -t nat -A POSTROUTING -o eth0 -s subnet/netmask-bits -j SNAT --to nat-instance-ip
For example, if the proxy ECS is in network 192.168.125.0, the subnet mask has 24 bits, and the private IP address is 192.168.125.4, run the following command:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.125.0/24 -j SNAT --to 192.168.125.4
To retain the preceding configuration even after the ECS is restarted, run the vi /etc/rc.local command to edit the rc.local file. Specifically, copy the rule described in step 16 into rc.local, press Esc to exit the editing mode, and enter :wq to save and exit the file.
chkconfig iptables on
SNAT has been configured if information similar to Figure 1 is displayed.
You can obtain the private IP address of the ECS on the Elastic Cloud Server page.
iptables -t nat -D POSTROUTING -o eth0 -s subnet/netmask-bits -j SNAT --to nat-instance-ip
For example, if the proxy ECS is in network segment 192.168.125.0, the subnet mask has 24 bits, and the private IP address is 192.168.125.4, run the following command:
iptables -t nat -D POSTROUTING -o eth0 -s 192.168.125.0/24 -j SNAT --to 192.168.125.4