问题描述
在Google Compute Engine上,我们的计算机没有公共IP(因为配额限制了可以具有公共IP地址的计算机的数量).我们需要这些非公共IP机器来访问Google存储桶中的数据,这似乎意味着我们必须路由到Internet.但是我们无法从这些非公共IP机器访问网络之外的任何内容.所有数据包都将丢弃.
我们找到了一些文档 https://developers.google.com/compute/docs/networking#routing 描述了如何设置从没有公共IP地址的计算机到具有公共IP地址的计算机的路由.
我们尝试创建一个机器代理",该机器已启用ip转发并具有允许http和https的防火墙规则(我认为这个细节并不重要,但我们做到了).我们创建了一个网络"nat",该网络的转发"规则为0.0.0.0/0.我们的希望是,来自"nat"网络上非公共IP机器的数据会将其数据包转发给"proxy",然后"proxy"将以某种方式充当通往Internet的网关,但这是行不通的. >
我怀疑我们必须在不执行的代理"上执行某种路由指令,该指令会指示代理转发到Google Internet网关,但是我不确定这应该是什么.也许是iptables中的规则?还是某种NAT程序?
您也许可以使用iptables NAT使其正常工作.在代理实例(作为根)上:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
On Google Compute Engine we have machines which do not have public IPs (because a quota limits the number of machines that can have public IP addresses). We need these non-public-IP machines to access data from Google Storage buckets which appears to mean that we have to route to the Internet. But we can't get to anything outside of our network from these non-public-IP machines. All packets drop.
We've found some documentation https://developers.google.com/compute/docs/networking#routing that describes setting up routing from machines that do not have public IP addresses to one that does.
We tried creating a machine "proxy" that has ip-forwarding turned on and has firewall rules that allow http and https (I don't think this detail matters, but we did it). We created a network "nat" that has a 0.0.0.0/0 forward to "proxy" rule. Our hope was that data from the non-public-IP machine on the "nat" network would forward their packets to "proxy" and then "proxy" would act as a gateway to the Internet somehow, but this does not work.
I suspect that we have to do some kind of routing instruction on "proxy" that we aren't doing that tells proxy to forward to the Google Internet gateway, but I'm not sure what this should be. Perhaps a rule in iptables? Or some sort of NAT program?
You may be able to use iptables NAT to get it working. On the proxy instance (as root):
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
这篇关于在没有公共IP的计算机上通过Google Compute Engine路由到互联网的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!