To use the route table function provided by the VPC service, you need to configure SNAT on an ECS to enable other ECSs that do not have EIPs bound in a VPC to access the Internet through this ECS.
The configured SNAT function takes effect for all subnets in a VPC.
By default, the source/destination check function is enabled. When this function is enabled, the system checks whether source IP addresses contained in the packets sent by ECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs to send the packets. This mechanism prevents packet spoofing, thereby improving system security. If SNAT is used, the SNAT server needs to forward packets. This mechanism prevents the packet sender from receiving returned packets. Therefore, you need to disable the source/destination check function for SNAT servers.
su - root
Before running the command, you must disable the response iptables rule on the ECS where SNAT is deployed and enable the security group rules.
[root@localhost ~]# ping www.google.com PING www.a.shifen.com (xxx.xxx.xxx.xxx) 56(84) bytes of data. 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms
Many OSs support packet routing. Before forwarding packets, OSs change source IP addresses in the packets to OS IP addresses. Therefore, the forwarded packets contain the IP address of the public sender so that the response packets can be sent back in the same path to the initial packet sender. This method is called SNAT. The OSs need to keep track of the packets in which the IP addresses have been changed to ensure that the destination IP addresses in the packets can be rewritten and that packets can be forwarded to the initial packet sender. To achieve these purposes, you need to enable the IP forwarding function and configure SNAT rules.
sysctl -p /etc/sysctl.conf
Run the following command to enable all ECSs on the network segment (for example, 192.168.1.0/24) to access the Internet using the SNAT function: Figure 1 shows the example command.
iptables -t nat -A POSTROUTING -o eth0 -s subnet -j SNAT --to nat-instance-ip
iptables -t nat --list
The destination is 0.0.0.0/0, and the next hop is the private or virtual IP address of the ECS where the SNAT function is deployed. For example, the next hop is 192.168.1.4.
After the preceding operations are complete, if the network communication fails, check your security group and firewall configuration to see whether required traffic is allowed.