Tunnel Access to the Intranet
The tunnel configuration is as follows
Let’s call it anything
Type Select Local
The listening port indicates the port used by the tunnel machine to map to the Intranet machine
Select 127.0.0.1 for binding IP address
The destination ADDRESS indicates the IP address of the Intranet host. Ensure that the tunnel machine can access the Intranet host properly, that is, ensure port connectivity
The target port indicates the port on the Intranet to which the data in the tunnel is forwarded. If the port is not changed, the default port is 22
The following describes how to connect to the Intranet through a tunnel
The connection can be successful only after the tunnel machine has been started
The host IP address is the binding IP address
Port Select the listening port
The user name and password are the account and password of the Intranet machine
Intranet routes access the Internet
The extranet gateway and Intranet hosts must reside on the same private network and belong to different subnets. This is a topology
1. Create a subnet for the same private network
2. Set the hosts on the Intranet to the created subnet
3. Configure routes for the two subnets
(1) Here is the routing configuration of the gateway machine, which is basically the default configuration
(2) Here is the routing configuration of the Intranet machine
4. Configure the public network gateway
Log in to the cloud server of the public network gateway, enable network forwarding, NAT proxy, and optimize related parameters.
(1) Run the following command to create the vpcgateway. sh script in the usr/local/sbin directory
vim /usr/local/sbin/vpcGateway.sh
Copy the code(2) Write the following script
#! /bin/bash echo "----------------------------------------------------" echo " `date`" echo "(1)ip_forward config......" file="/etc/sysctl.conf" grep -i "^net\.ipv4\.ip_forward.*" $file &>/dev/null && sed -i \ 's/net\.ipv4\.ip_forward.*/net\.ipv4\.ip_forward = 1/' $file || \ echo "net.ipv4.ip_forward = 1" >> $file echo 1 >/proc/sys/net/ipv4/ip_forward [ `cat /proc/sys/net/ipv4/ip_forward` -eq 1 ] && echo "-->ip_forward:Success" || \ echo "-->ip_forward:Fail" echo "(2)Iptables set......" iptables -t nat -A POSTROUTING -j MASQUERADE && echo "-->nat:Success" || echo "-->nat:Fail" iptables -t mangle -A POSTROUTING -p tcp -j TCPOPTSTRIP --strip-options timestamp && \ echo "-->mangle:Success" || echo "-->mangle:Fail" echo "(3)nf_conntrack config......" echo 262144 > /sys/module/nf_conntrack/parameters/hashsize [ `cat /sys/module/nf_conntrack/parameters/hashsize` -eq 262144 ] && \ echo "-->hashsize:Success" || echo "-->hashsize:Fail" echo 1048576 > /proc/sys/net/netfilter/nf_conntrack_max [ `cat /proc/sys/net/netfilter/nf_conntrack_max` -eq 1048576 ] && \ echo "-->nf_conntrack_max:Success" || echo "-->nf_conntrack_max:Fail" echo 10800 >/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established \ [ `cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established` -eq 10800 ] \ && echo "-->nf_conntrack_tcp_timeout_established:Success" || \ echo "-->nf_conntrack_tcp_timeout_established:Fail"Copy the code(3) Set script file permissions
chmod +x /usr/local/sbin/vpcGateway.sh
echo "/usr/local/sbin/vpcGateway.sh >/tmp/vpcGateway.log 2>&1" >> /etc/rc.local
Copy the code(4) Run the following command to create the set_rps.sh script in the usr/local/sbin directory:
vim /usr/local/sbin/set_rps.sh
Copy the code(5) Write the following script
#! /bin/bash echo "--------------------------------------------" date mask=0 i=0 total_nic_queues=0 get_all_mask() { local cpu_nums=$1 if [ $cpu_nums -gt 32 ]; then mask_tail="" mask_low32="ffffffff" idx=$((cpu_nums / 32)) cpu_reset=$((cpu_nums - idx * 32)) if [ $cpu_reset -eq 0 ]; then mask=$mask_low32 for ((i = 2; i <= idx; i++)); do mask="$mask,$mask_low32" done else for ((i = 1; i <= idx; i++)); do mask_tail="$mask_tail,$mask_low32" done mask_head_num=$((2 ** cpu_reset - 1)) mask=$(printf "%x%s" $mask_head_num $mask_tail) fi else mask_num=$((2 ** cpu_nums - 1)) mask=$(printf "%x" $mask_num) fi echo $mask } set_rps() { if ! command -v ethtool &>/dev/null; then source /etc/profile fi ethtool=$(which ethtool) cpu_nums=$(cat /proc/cpuinfo | grep processor | wc -l) if [ $cpu_nums -eq 0 ]; then exit 0 fi mask=$(get_all_mask $cpu_nums) echo "cpu number:$cpu_nums mask:0x$mask" ethSet=$(ls -d /sys/class/net/eth*) for entry in $ethSet; do eth=$(basename $entry) nic_queues=$(ls -l /sys/class/net/$eth/queues/ | grep rx- | wc -l) if (($nic_queues == 0)); then continue fi cat /proc/interrupts | grep "LiquidIO.*rxtx" &>/dev/null if [ $? -ne 0 ]; then # not smartnic #multi queue don't set rps max_combined=$( $ethtool -l $eth 2>/dev/null | grep -i "combined" | head -n 1 | awk '{print $2}' ) #if ethtool -l $eth goes wrong. [[ ! "$max_combined" =~ ^[0-9]+$ ]] && max_combined=1 if [ ${max_combined} -ge ${cpu_nums} ]; then echo "$eth has equally nic queue as cpu, don't set rps for it..." continue fi else echo "$eth is smartnic, set rps for it..." fi echo "eth:$eth queues:$nic_queues" total_nic_queues=$(($total_nic_queues + $nic_queues)) i=0 while (($i < $nic_queues)); do echo $mask >/sys/class/net/$eth/queues/rx-$i/rps_cpus echo 4096 >/sys/class/net/$eth/queues/rx-$i/rps_flow_cnt i=$(($i + 1)) done done flow_entries=$((total_nic_queues * 4096)) echo "total_nic_queues:$total_nic_queues flow_entries:$flow_entries" echo $flow_entries >/proc/sys/net/core/rps_sock_flow_entries } set_rpsCopy the code(6) Set script file permissions
chmod +x /usr/local/sbin/set_rps.sh echo "/usr/local/sbin/set_rps.sh >/tmp/setRps.log 2>&1" >> /etc/rc.local chmod +x /etc/rc.d/rc.loca
Copy the code5. After the configuration is complete, restart the cloud server of the public network gateway for the configuration to take effect, and check whether the cloud server without a public IP address can access the public network.