yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
a41a4e0331fbc0beff63bb28fa59228cc9a751df
doc-exports/docs/vpc/umn/vpc_route_0004.html
fanqinying d2f00b744a VPC UMN 20241224 version 
Reviewed-by: Szirovicza Gergő <a94652429@noreply.gitea.eco.tsi-dev.otc-service.com>
Reviewed-by: Sarda, Priya <prsarda@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: fanqinying <fanqinying@huawei.com>
Co-committed-by: fanqinying <fanqinying@huawei.com>
2025-09-11 07:29:55 +00:00

48 lines
13 KiB
HTML
Raw Blame History

<a name="vpc_route_0004"></a><a name="vpc_route_0004"></a>
<h1 class="topictitle1">Configuring an SNAT Server</h1>
<div id="body8662426"><div class="section" id="vpc_route_0004__en-us_topic_0212076959_section46985825185725"><h4 class="sectiontitle">Scenarios</h4><p id="vpc_route_0004__en-us_topic_0118499009_p52800783174251">Together with VPC route tables, you can configure SNAT on an ECS to enable other ECSs that have no EIPs bound in the same VPC to access the Internet through this ECS.</p>
<p id="vpc_route_0004__en-us_topic_0118499009_p54005937143036">The configured SNAT takes effect for all subnets in a VPC.</p>
</div>
<div class="section" id="vpc_route_0004__en-us_topic_0212076959_section55962461185854"><h4 class="sectiontitle">Prerequisites</h4><ul id="vpc_route_0004__en-us_topic_0118499009_ul2800292395752"><li id="vpc_route_0004__en-us_topic_0118499009_li3604064495752">You have an ECS where SNAT is to be configured.</li><li id="vpc_route_0004__en-us_topic_0118499009_li3814080795752">The ECS where SNAT is to be configured runs Linux.</li><li id="vpc_route_0004__en-us_topic_0118499009_li308571895752">The ECS where SNAT is to be configured has only one network interface.</li></ul>
</div>
<div class="section" id="vpc_route_0004__en-us_topic_0212076959_section27146196185725"><h4 class="sectiontitle">Procedure</h4><ol class="subitemlist" id="vpc_route_0004__en-us_topic_0212076959_ol59571222185725"><li id="vpc_route_0004__li108767085113">Log in to the management console.</li><li id="vpc_route_0004__en-us_topic_0212076959_li840318282158">Click <span><img id="vpc_route_0004__image121775280771926" src="en-us_image_0000001818982734.png"></span> in the upper left corner and select the desired region and project.</li><li id="vpc_route_0004__en-us_topic_0118498853_en-us_topic_0118498861_li65321958215">In the upper left corner of the page, click <span><img id="vpc_route_0004__en-us_topic_0118498853_en-us_topic_0118498861_en-us_topic_0118498850_image8750174734412" src="en-us_image_0000001865582817.png"></span>. In the service list, choose <strong id="vpc_route_0004__b7687712123810">Computing</strong> &gt; <strong id="vpc_route_0004__b17688181223814">Elastic Cloud Server</strong>.</li><li id="vpc_route_0004__en-us_topic_0212076959_li31507856192850">On the displayed page, locate the target ECS in the ECS list and click the ECS name to switch to the page showing ECS details.</li><li id="vpc_route_0004__en-us_topic_0212076959_li53859069172540">On the displayed ECS details page, click the <strong id="vpc_route_0004__b7373162212350">Network Interfaces</strong> tab.</li><li id="vpc_route_0004__en-us_topic_0212076959_li19079047102036">Click the network interface's IP address to view details and disable <strong id="vpc_route_0004__b447943853118">Source/Destination Check</strong>.<p id="vpc_route_0004__p199611181010">This prevents packet spoofing and improves system security. If SNAT is used, the SNAT server needs to forward packets. This mechanism prevents the packet sender from receiving returned packets. To change this behavior, you can disable the source/destination check for SNAT servers.</p>
</li><li class="subitemlist" id="vpc_route_0004__en-us_topic_0212076959_li973115415548">Bind an EIP.<ul id="vpc_route_0004__en-us_topic_0212076959_ul145638556547"><li id="vpc_route_0004__en-us_topic_0212076959_li389151017522">Bind an EIP to the private IP address of the ECS. For details, see <a href="en-us_topic_0013748738.html">Assigning an EIP and Binding It to an ECS</a>.</li><li id="vpc_route_0004__en-us_topic_0212076959_li14372322205216">Bind an EIP to the virtual IP address of the ECS. For details, see <a href="en-us_topic_0067802474.html">Binding a Virtual IP Address to an EIP or ECS</a>.</li></ul>
</li><li id="vpc_route_0004__en-us_topic_0212076959_li16042892175455">On the ECS console, use the remote login function to log in to the ECS where you plan to configure SNAT.</li><li id="vpc_route_0004__en-us_topic_0212076959_li5799485421525">Run the following command and enter the password of user <strong id="vpc_route_0004__b84235270615257">root</strong> to switch to user <strong id="vpc_route_0004__b8423527061535">root</strong>:<p id="vpc_route_0004__en-us_topic_0212076959_p515682111210"><strong id="vpc_route_0004__en-us_topic_0212076959_b31038699111213">su - root</strong></p>
</li><li id="vpc_route_0004__en-us_topic_0212076959_li38168893185725">Run the following command to check whether the ECS can successfully connect to the Internet:<div class="note" id="vpc_route_0004__en-us_topic_0212076959_note452533610318"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="vpc_route_0004__en-us_topic_0212076959_p4072802610318">Before running the command, you must disable the response iptables rule on the ECS where SNAT is configured and configure security group rules.</p>
</div></div>
<p id="vpc_route_0004__en-us_topic_0212076959_p3847689194811"><strong id="vpc_route_0004__en-us_topic_0212076959_b4158120095835">ping www.google.com</strong></p>
<div class="p" id="vpc_route_0004__en-us_topic_0212076959_p16193627195352">The ECS can access the Internet if the following information is displayed:<pre class="screen" id="vpc_route_0004__en-us_topic_0212076959_screen4594102519120">[root@localhost ~]# <strong id="vpc_route_0004__b24811939105318">ping www.google.com</strong>
PING www.google.com (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms</pre>
</div>
</li><li id="vpc_route_0004__en-us_topic_0212076959_li740311521532">Run the following command to check whether IP forwarding of the Linux OS is enabled:<p id="vpc_route_0004__en-us_topic_0212076959_p61429432185725"><a name="vpc_route_0004__en-us_topic_0212076959_li740311521532"></a><a name="en-us_topic_0212076959_li740311521532"></a><strong id="vpc_route_0004__en-us_topic_0212076959_b2074430719158">cat /proc/sys/net/ipv4/ip_forward</strong></p>
<div class="p" id="vpc_route_0004__en-us_topic_0212076959_p20443675185725">In the command output, <strong id="vpc_route_0004__b13947352238">1</strong> indicates that IP forwarding is enabled, and <strong id="vpc_route_0004__b7399133510231">0</strong> indicates that IP forwarding is disabled. The default value is <strong id="vpc_route_0004__b54001235192318">0</strong>.<ul id="vpc_route_0004__en-us_topic_0212076959_ul4867996019351"><li id="vpc_route_0004__en-us_topic_0212076959_li5357309819351">If IP forwarding in Linux is enabled, go to step <a href="#vpc_route_0004__en-us_topic_0212076959_li2168883919851">14</a>.</li><li id="vpc_route_0004__en-us_topic_0212076959_li2587875419430">If IP forwarding in Linux is disabled, go to <a href="#vpc_route_0004__en-us_topic_0212076959_li3948189019612">12</a> to enable IP forwarding in Linux.</li></ul>
</div>
<p id="vpc_route_0004__en-us_topic_0212076959_p17833341152641">Many OSs support packet routing. Before forwarding packets, OSs change source IP addresses in the packets to OS IP addresses. Therefore, the forwarded packets contain the IP address of the public sender so that the response packets can be sent back along the same path to the initial packet sender. This method is called SNAT. The OSs need to keep track of the packets where IP addresses have been changed to ensure that the destination IP addresses in the packets can be rewritten and that packets can be forwarded to the initial packet sender. To achieve these purposes, you need to enable the IP forwarding function and configure SNAT rules.</p>
</li><li id="vpc_route_0004__en-us_topic_0212076959_li3948189019612"><a name="vpc_route_0004__en-us_topic_0212076959_li3948189019612"></a><a name="en-us_topic_0212076959_li3948189019612"></a>Use the vi editor to open the <strong id="vpc_route_0004__b823214082917">/etc/sysctl.conf</strong> file, change the value of <strong id="vpc_route_0004__b623360182916">net.ipv4.ip_forward</strong> to <strong id="vpc_route_0004__b14233170172920">1</strong>, and enter <strong id="vpc_route_0004__b22330052913">:wq</strong> to save the change and exit.</li><li id="vpc_route_0004__en-us_topic_0212076959_li59487700144938">Run the following command to make the change take effect:<p id="vpc_route_0004__en-us_topic_0212076959_p21319133185725"><a name="vpc_route_0004__en-us_topic_0212076959_li59487700144938"></a><a name="en-us_topic_0212076959_li59487700144938"></a><strong id="vpc_route_0004__en-us_topic_0212076959_b60392557195818">sysctl -p /etc/sysctl.conf</strong></p>
</li><li id="vpc_route_0004__en-us_topic_0212076959_li2168883919851"><a name="vpc_route_0004__en-us_topic_0212076959_li2168883919851"></a><a name="en-us_topic_0212076959_li2168883919851"></a>Configure the SNAT function.<p id="vpc_route_0004__en-us_topic_0212076959_p6086906185725"><a name="vpc_route_0004__en-us_topic_0212076959_li2168883919851"></a><a name="en-us_topic_0212076959_li2168883919851"></a>Run the following command to enable all ECSs on the network (for example, 192.168.1.0/24) to access the Internet using the SNAT function:</p>
<p id="vpc_route_0004__en-us_topic_0212076959_p54782158185725"><strong id="vpc_route_0004__en-us_topic_0212076959_b1711562716118">iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-instance-ip</strong></p>
<div class="fignone" id="vpc_route_0004__en-us_topic_0212076959_fig27328760201321"><span class="figcap"><b>Figure 1 </b>Configuring SNAT</span><br><span><img id="vpc_route_0004__en-us_topic_0212076959_image27784576201316" src="en-us_image_0000001818983066.png"></span></div>
<div class="note" id="vpc_route_0004__en-us_topic_0212076959_note17131172082610"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="vpc_route_0004__en-us_topic_0212076959_p10101124512287">To ensure that the rule will not be lost after the restart, write the rule into the <strong id="vpc_route_0004__b48631924113210">/etc/rc.local</strong> file.</p>
<ol type="a" id="vpc_route_0004__en-us_topic_0212076959_ol1672532664411"><li id="vpc_route_0004__en-us_topic_0212076959_li37251826164420">Switch to the <strong id="vpc_route_0004__b682718172339">/etc/sysctl.conf</strong> file:<p id="vpc_route_0004__en-us_topic_0212076959_p131011015453"><strong id="vpc_route_0004__en-us_topic_0212076959_b674310453469">vi /etc/rc.local</strong></p>
</li><li id="vpc_route_0004__en-us_topic_0212076959_li13354142510468">Perform <a href="#vpc_route_0004__en-us_topic_0212076959_li2168883919851">14</a> to configure SNAT.</li><li id="vpc_route_0004__en-us_topic_0212076959_li1681128114512">Save the configuration and exit:<p id="vpc_route_0004__en-us_topic_0212076959_p11166132734719"><a name="vpc_route_0004__en-us_topic_0212076959_li1681128114512"></a><a name="en-us_topic_0212076959_li1681128114512"></a><strong id="vpc_route_0004__en-us_topic_0212076959_b106820371461">:wq</strong></p>
</li><li id="vpc_route_0004__en-us_topic_0212076959_li47802059144620">Add the execution permissions for the <strong id="vpc_route_0004__b1636055020338">rc.local</strong> file:<p id="vpc_route_0004__en-us_topic_0212076959_p18491172662719"><strong id="vpc_route_0004__en-us_topic_0212076959_b811028132817"># chmod +x /etc/rc.local</strong></p>
</li></ol>
</div></div>
</li><li id="vpc_route_0004__en-us_topic_0212076959_li2199423117567">Check whether the configuration is successful. If information similar to <a href="#vpc_route_0004__en-us_topic_0212076959_fig8358771201535">Figure 2</a> (for example, 192.168.1.0/24) is displayed, the configuration was successful.<p id="vpc_route_0004__en-us_topic_0212076959_p57775313185725"><strong id="vpc_route_0004__en-us_topic_0212076959_b4735265611325">iptables -t nat --list</strong></p>
<div class="fignone" id="vpc_route_0004__en-us_topic_0212076959_fig8358771201535"><a name="vpc_route_0004__en-us_topic_0212076959_fig8358771201535"></a><a name="en-us_topic_0212076959_fig8358771201535"></a><span class="figcap"><b>Figure 2 </b>Verifying configuration</span><br><span><img id="vpc_route_0004__en-us_topic_0212076959_image49288804185725" src="en-us_image_0000001818823278.png"></span></div>
</li><li id="vpc_route_0004__en-us_topic_0212076959_li01391125185619">Add a route. For details, see section <a href="vpc_route01_0006.html">Adding a Custom Route</a>.<p id="vpc_route_0004__en-us_topic_0212076959_p615215253560">Set the destination to <strong id="vpc_route_0004__b9649156143815">0.0.0.0/0</strong>, and the next hop to the private or virtual IP address of the ECS where SNAT is deployed. For example, the next hop is <strong id="vpc_route_0004__b1965014613818">192.168.1.4</strong>.</p>
</li></ol>
<p class="subitemlist" id="vpc_route_0004__en-us_topic_0212076959_p136323287499">After these operations are complete, if the network communication still fails, check your security group and firewall<span id="vpc_route_0004__text159701372612"></span> configuration to see whether required traffic is allowed.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="vpc_route01_0000.html">Route Tables</a></div>
</div>
</div>
View Git Blame Copy Permalink