架設VPN服務器,需要在iptables防火牆上配置路由表,而阿里雲主機的經典網絡與專有網絡,他們的網絡架構有所區別,經典網絡有兩塊獨立網卡,一塊eth0對應內網IP,一塊eth1對應外網IP;而專有網絡只有一塊內網網卡eth0。
操作系統:CentOS 6.8
案例一、專有網絡(阿里雲2015年7月以後註冊的用戶無法再選購經典網絡了)
vpn局域網IP段:192.168.1.0/24
內網網卡eth0,IP:172.31.110.186
# Generated by iptables-save v1.4.7 on Thu Mar 29 11:59:14 2018
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1:76]
:OUTPUT ACCEPT [1:76]
#-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 172.31.110.186
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Mar 29 11:59:14 2018
# Generated by iptables-save v1.4.7 on Thu Mar 29 11:59:14 2018
*filter
:INPUT ACCEPT [152:6080]
:FORWARD ACCEPT [14029:9330839]
:OUTPUT ACCEPT [38128:23732563]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1:11211 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
COMMIT
關鍵看SNAT,即vpn網段出去的路由:
#-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 172.31.110.186-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE這兩行任意一行生效即可,第一行是靜態綁定網卡和IP,第二行是綁定網卡,IP隨便怎麼變都是指向這塊網卡,相比而言第二行更省事;
案例二、經典網絡
vpn局域網IP段:192.168.1.0/24
外網網卡eth1,IP:47.91.xx.xx
# Generated by iptables-save v1.4.7 on Wed Mar 28 15:56:32 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1:11211 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
COMMIT
# Completed on Wed Mar 28 15:56:32 2018
# Generated by iptables-save v1.4.7 on Wed Mar 28 15:56:32 2018
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to-source 47.91.xx.xx
COMMIT
# Completed on Wed Mar 28 15:56:32 2018