Configuring an SNAT Server to Enable ECSs to Share an EIP to Access the Internet
Scenarios
Together with VPC route tables, you can configure SNAT on an ECS to enable other ECSs that have no EIPs bound in the same VPC to access the Internet through this ECS.
The configured SNAT takes effect for all subnets in a VPC.
Prerequisites
- You have an ECS where SNAT is to be configured.
- The ECS where SNAT is to be configured runs Linux.
- The ECS where SNAT is to be configured has only one network interface.
Differences Between SNAT ECSs and NAT Gateways
NAT Gateway provides network address translation (NAT) for servers, such as ECSs, BMSs, and Workspace desktops, in a VPC or servers that connect to a VPC through Direct Connect or VPN in local data centers, allowing these servers to access the Internet using EIPs or to provide services for the Internet.
NAT Gateway is easier to configure and use than SNAT. This service can be flexibly deployed across subnets and AZs and has different NAT gateway specifications. You can click NAT Gateway under Networking on the management console to try this service.
For details, see the NAT Gateway User Guide.
Procedure
- Log in to the management console.
- Click in the upper left corner and select the desired region and project.
- In the upper left corner of the page, click . In the service list, choose Compute > Elastic Cloud Server.
- On the displayed page, locate the target ECS in the ECS list and click its name to go to the page showing ECS details.
- On the displayed page, click the Network Interfaces tab.
- Click the network interface IP address to view details and disable Source/Destination Check.
By default, the source/destination check option is enabled to check whether source IP addresses contained in the packets sent by ECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs to send the packets. This mechanism prevents packet spoofing, thereby improving system security. If the SNAT function is used, the SNAT server needs to forward packets. This mechanism prevents the packet sender from receiving returned packets. Therefore, you need to disable the source/destination check for SNAT servers.
- Bind an EIP.
- Bind an EIP to the private IP address of the ECS. For details, see Binding an EIP to an Instance.
- Bind an EIP to the virtual IP address of the ECS. For details, see Binding a Virtual IP Address to an Instance or EIP.
- On the ECS console, remotely log in to the ECS where you plan to configure SNAT.
- Run the following command and enter the password of user root to switch to user root:
su - root
- Run the following command to check whether the ECS can successfully connect to the Internet:
Before running the command, you must disable the response iptables rule on the ECS where SNAT is configured and configure security group rules.
ping support.huawei.com
The ECS can access the Internet if the following information is displayed:[root@localhost ~]# ping support.huawei.com PING support.huawei.com (xxx.xxx.xxx.xxx) 56(84) bytes of data. 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms
- Run the following command to check whether IP forwarding of the Linux OS is enabled:
cat /proc/sys/net/ipv4/ip_forward
In the command output, 1 indicates that IP forwarding is enabled, and 0 indicates that IP forwarding is disabled. The default value is 0.Many OSs support packet routing. Before forwarding packets, OSs change source IP addresses in the packets to OS IP addresses. Therefore, the forwarded packets contain the IP address of the public sender so that the response packets can be sent back along the same path to the initial packet sender. This method is called SNAT. The OSs need to keep track of the packets where IP addresses have been changed to ensure that the destination IP addresses in the packets can be rewritten and that packets can be forwarded to the initial packet sender. To achieve these purposes, you need to enable the IP forwarding function and configure SNAT rules.
- Use the vi editor to open the /etc/sysctl.conf file, change the value of net.ipv4.ip_forward to 1, and enter :wq to save the change and exit.
- Run the following command to make the change take effect:
- Configure the SNAT function.
Run the following command to allow all ECSs in the subnet (for example, 192.168.1.0/24) to access the Internet: Example command:
iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-instance-ip
Figure 1 Configuring SNAT
To ensure that the rule will not be lost after the restart, write the rule into the /etc/rc.local file.
- Switch to the /etc/sysctl.conf file:
vi /etc/rc.local
- Perform 14 to configure SNAT.
- Save the configuration and exit:
- Add the execution permissions for the rc.local file:
# chmod +x /etc/rc.local
- Switch to the /etc/sysctl.conf file:
- Check whether the configuration is successful. If information similar to Figure 2 (for example, 192.168.1.0/24) is displayed, the configuration was successful.
iptables -t nat --list
- Add a route. For details, see section Adding Routes to a Route Table.
Set the destination to 0.0.0.0/0, and the next hop to the private or virtual IP address of the ECS where SNAT is deployed. For example, the next hop is 192.168.1.4.
After these operations are complete, if the network communication still fails, check your security group and network ACL configuration to see whether required traffic is allowed.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot