Enabling Internet Connectivity for an ECS Without an EIP

Scenarios

To ensure platform security and conserve EIPs, EIPs are assigned only to specified ECSs. ECSs without EIPs cannot access the Internet directly. If these ECSs need to access the Internet (for example, to perform a software upgrade or install a patch), you can select an ECS with an EIP bound to function as a proxy ECS, providing an access channel for these ECSs.

NAT Gateway is recommended, which provides both the SNAT and DNAT functions for your ECSs in a VPC and allows the ECSs to access or provide services accessible from the Internet. For details, see NAT Gateway.

Prerequisites

• A proxy ECS with an EIP bound is available.
• The IP address of the proxy ECS is in the same network and same security group as the ECSs that need to access the Internet.

Linux Proxy ECS

The following uses a proxy ECS running CentOS 6.5 as an example. For details about other OSs and versions, see the official help documentation.

1. Log in to the management console.
2. Click in the upper left corner and select your region and project.
3. Click . Under Compute, click Elastic Cloud Server.
4. In the search box above the upper right corner of the ECS list, enter the proxy ECS name for search.
5. Click the name of the proxy ECS. The page providing details about the ECS is displayed.
6. On the Network Interfaces tab, click . Then, disable Source/Destination Check.
   Figure 1 Disabling source/destination check
   

   By default, the source/destination check function is enabled. When this function is enabled, the system checks whether source IP addresses contained in the packets sent by ECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs to send the packets. This mechanism prevents packet spoofing, thereby improving system security. However, this mechanism prevents the packet sender from receiving returned packets. Therefore, disable the source/destination check.

7. Log in to the proxy ECS.

   For more details, see Login Overview (Linux).

8. Check whether the proxy ECS can access the Internet.

   ping www.huaweicloud.com

   The proxy ECS can access the Internet if information similar to the following is displayed:

   Figure 2 Checking connectivity
   
9. Install iptables.

   yum install iptables-services -y

10. Set the automatic startup of iptables.

    systemctl start iptables

    systemctl enable iptables

11. Disable the firewall.

    systemctl stop firewalld

    systemctl disable firewalld

12. Check whether IP forwarding is enabled on the proxy ECS.

    cat /proc/sys/net/ipv4/ip_forward

    • If 0 (disabled) is displayed, go to 13.
    • If 1 (enabled) is displayed, go to 18.
13. Open the IP forwarding configuration file in the vi editor.

    vi /etc/sysctl.conf

14. Press i to enter editing mode.
15. Set the net.ipv4.ip_forward value to 1.

    Set the net.ipv4.ip_forward value to 1.

    

    If the sysctl.conf file does not contain the net.ipv4.ip_forward parameter, run the following command to add it:

    echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf

16. Press Esc, type :wq, and press Enter.

    The system saves the configurations and exits the vi editor.

17. Apply the modification.

    sysctl -p /etc/sysctl.conf

18. Configure default iptables rules.

    iptables -P INPUT ACCEPT

    iptables -P OUTPUT ACCEPT

    iptables -P FORWARD ACCEPT

    

    Running iptables -P INPUT ACCEPT will set default INPUT policy to ACCEPT, which poses security risks. You are advised to set security group rules to restrict inbound access.

19. Configure source network address translation (SNAT) to enable ECSs in the same network segment to access the Internet through the proxy ECS.

    iptables -t nat -A POSTROUTING -o eth0 -s subnet/netmask-bits -j SNAT --to nat-instance-ip

    For example, if the proxy ECS is in network 192.168.125.0, the subnet mask has 24 bits, and the private IP address is 192.168.125.4, run the following command:

    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.125.0/24 -j SNAT --to 192.168.125.4

    

    To retain the preceding configuration even after the ECS is restarted, run the vi /etc/rc.local command to edit the rc.local file. Specifically, copy the rule described in step 19 into rc.local, press Esc to exit Insert mode, and enter :wq to save the settings and exit.

20. Save the iptables configuration and set the automatic startup of iptables.

    service iptables save

    chkconfig iptables on

21. Check whether SNAT has been configured.

    iptables -t nat --list

    SNAT has been configured if information similar to Figure 3 is displayed.

    Figure 3 Successful SNAT configuration
    
22. Add a route.
    1. Log in to the management console.
    2. Click in the upper left corner and select your region and project.
    3. Under Networking, click Virtual Private Cloud.
    4. Choose Route Tables in the left navigation pane. In the route table list, click a target route table. On the displayed page, click Add Route.
    5. Set route information on the displayed page.
       • Destination: indicates the destination network segment. The default value is 0.0.0.0/0.
       • Next Hop: indicates the private IP address of the proxy ECS.

         You can obtain the private IP address of the ECS on the Elastic Cloud Server page.

23. Delete the added iptables rules as needed.

    iptables -t nat -D POSTROUTING -o eth0 -s subnet/netmask-bits -j SNAT --to nat-instance-ip

    For example, if the proxy ECS is in network segment 192.168.125.0, the subnet mask has 24 bits, and the private IP address is 192.168.125.4, run the following command:

    iptables -t nat -D POSTROUTING -o eth0 -s 192.168.125.0/24 -j SNAT --to 192.168.125.4