OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

Why am I not able to access the internet via this NAT instance?

  • Thread starter Thread starter dipea
  • Start date Start date
D

dipea

Guest
I have an EC2 instance at 10.0.3.22 within a private subnet.

I have another EC2 instance in a public subnet, which I'm trying to use as a NAT instance (to save costs over a AWS-provided NAT gateway). For the most part, I have followed this guide.

The NAT instance has the following user data, using the mime multi-part format documented here.

Code:
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#! /bin/bash
yum install iptables-services -y
systemctl enable iptables
systemctl start iptables

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
--//--

I am able to SSH into the NAT instance, and confirm that I can access the internet from there (using ping ietf.org). From that SSH session, I can SSH into the instance in the private subnet at 10.0.3.22, but from here I cannot access the internet:

Code:
[ec2-user@ip-10-0-3-22 ~]$ ping ietf.org
PING ietf.org (50.223.129.194) 56(84) bytes of data.
From ip-10-0-4-248.eu-west-1.compute.internal (10.0.4.248) icmp_seq=1 Destination Host Prohibited

Why might this not be working?

The route table for the private subnet (where eni-0a3... is the network interface of the NAT EC2 instance):

route table for private subnet

And the route table for the public subnet containing the NAT EC2 instance:

route table for public subnet

I have disabled the Source/Destination check on the NAT EC2 instance.

Security group for the instance in the private subnet:

enter image description here

Security group for the NAT instance:

enter image description here
<p>I have an EC2 instance at <code>10.0.3.22</code> within a private subnet.</p>
<p>I have another EC2 instance in a public subnet, which I'm trying to use as a NAT instance (to save costs over a AWS-provided NAT gateway). For the most part, I have followed <a href="https://www.kabisa.nl/tech/cost-saving-with-nat-instances/" rel="nofollow noreferrer">this guide</a>.</p>
<p>The NAT instance has the following user data, using the mime multi-part format documented <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-mime-multi" rel="nofollow noreferrer">here</a>.</p>
<pre><code>Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#! /bin/bash
yum install iptables-services -y
systemctl enable iptables
systemctl start iptables

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
--//--
</code></pre>
<p>I am able to SSH into the NAT instance, and confirm that I can access the internet from there (using <code>ping ietf.org</code>). From that SSH session, I can SSH into the instance in the private subnet at <code>10.0.3.22</code>, but from here I cannot access the internet:</p>
<pre><code>[ec2-user@ip-10-0-3-22 ~]$ ping ietf.org
PING ietf.org (50.223.129.194) 56(84) bytes of data.
From ip-10-0-4-248.eu-west-1.compute.internal (10.0.4.248) icmp_seq=1 Destination Host Prohibited
</code></pre>
<p>Why might this not be working?</p>
<p>The route table for the private subnet (where eni-0a3... is the network interface of the NAT EC2 instance):</p>
<p><a href="https://i.sstatic.net/xOjUt.png" rel="nofollow noreferrer"><img src="https://i.sstatic.net/xOjUt.png" alt="route table for private subnet" /></a></p>
<p>And the route table for the public subnet containing the NAT EC2 instance:</p>
<p><a href="https://i.sstatic.net/LGhZf.png" rel="nofollow noreferrer"><img src="https://i.sstatic.net/LGhZf.png" alt="route table for public subnet" /></a></p>
<p>I have disabled the Source/Destination check on the NAT EC2 instance.</p>
<p>Security group for the instance in the private subnet:</p>
<p><a href="https://i.sstatic.net/kcR37.png" rel="nofollow noreferrer"><img src="https://i.sstatic.net/kcR37.png" alt="enter image description here" /></a></p>
<p>Security group for the NAT instance:</p>
<p><a href="https://i.sstatic.net/CyBXA.png" rel="nofollow noreferrer"><img src="https://i.sstatic.net/CyBXA.png" alt="enter image description here" /></a></p>
Continue reading...
 

Latest posts

D
Replies
0
Views
1
Dhanushka Amarakoon
D
S
Replies
0
Views
1
Shikhar Ambashta
S
Top