1、准备
1.1 服务器
两台服务器
- ECS1(没有外网):172.16.5.248
- ECS2(有外网IP,其实是VPC做了NAT):172.16.5.245
1.2 安装iptables
>systemctl stop firewalld #关闭防火墙
>yum install iptables-services
>systemctl enable iptables
>systemctl start iptables
2、配置
阿里云VPC网关导致不能按照配置普通网关一样配置(参考:https://www.cnblogs.com/EasonJim/p/10206728.html),必须结合VPC配置0.0.0.0/0来进行下一跳,不然你在ECS怎么设置都无法成功。其实这个问题是由于VPC本身最上层做了NAT,并通过route查看会发现253这个地址有VPC占用,无论怎么配置0.0.0.0的下一跳都会先转到253这个地址。
2.1 ECS2配置
公网网络的机器(ECS2)上执行:
#打开端口转发
>echo “1” > /proc/sys/net/ipv4/ip_forward
#重新加载配置,使配置生效
>sysctl -p
#配置iptables做SNAT,设置转发规则
>iptables -t nat -I POSTROUTING -s 172.16.5.0/24 -j SNAT --to-source 172.16.5.245
#保存更改
>service iptables save
#重启防火墙
>service iptables restart
这里需要注意改成自己的IP,将172.16.5.0网段的网络请求转发到172.16.5.245。
2.2 配置VPC路由规则
阿里云ECS若要路由成功,还需要配置VPC路由规则,打开阿里云VPC控制台,添加路由表,新增一条0.0.0.0/0(默认路由)的规则
网络与安全->路由表-管理->路由条目列表->添加自定义路由条目
esc示例添加ECS2
3、测试
3.1 访问成功
登陆ECS1,访问百度域名
>ping www.baidu.com
PING www.a.shifen.com (180.101.49.11) 56(84) bytes of data.
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=1 ttl=49 time=11.5 ms
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=2 ttl=49 time=11.6 ms
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=3 ttl=49 time=11.5 ms
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=4 ttl=49 time=11.5 ms
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=5 ttl=49 time=11.5 ms
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=6 ttl=49 time=11.5 ms
64 bytes from 180.101.49.11 (180.101.49.11): icmp_seq=7 ttl=49 time=11.5 ms
3.2 访问失败
>ping www.baidu.com
PING www.a.shifen.com (180.101.49.12) 56(84) bytes of data.
From 172.16.5.245 (172.16.5.245) icmp_seq=7 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=8 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=9 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=10 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=11 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=12 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=13 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=14 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=15 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=16 Destination Host Prohibited
From 172.16.5.245 (172.16.5.245) icmp_seq=17 Destination Host Prohibited
此时将ECS2的防火墙关闭,命令:iptables -F.然后就可以ping通了。
参考文章:
https://www.cnblogs.com/EasonJim/p/10206743.html
https://blog.alovn.cn/2020/05/22/aliyun-ecs-connect-network/
https://amos-x.com/index.php/amos/archives/centos7-aliyun-nat/
https://blog.csdn.net/weixin_44549974/article/details/89576122