2

How can we get the Apache instance in a private subnet to work?

Configuration
Public subnet with 1 NAT instance
Private subnet with 1 App instance

Details
1. Masquerading is turned on NAT on via 

    iptables -t nat -A POSTROUTING -j MASQUERADE

2. PREROUTING is enabled via
iptables -t nat -A PREROUTING -p tcp --port 80 -j DNAT --to-destination 10.0.10.102:80
3. Port forwarding is enabled in /proc/sys/net/ipv4/ip_forward
4. Security group for both NAT & App (Would never keep these in production but purely to show all ports are open)

    Inbound All Traffic 0.0.0.0/0
    Outbound All Traffic 0.0.0.0/0

5. Network ACLs

    Inbound All Ports 0.0.0.0/0
    Outbound All Ports 0.0.0.0/0

6. Ping & wget work for external requests

    ping google.com
    wget google.com

7. Apache is listening on the App instance in the private subnet.

    netstat -tulpn
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp6       0      0 :::80                   :::*                    LISTEN      -

Apache Traffic
Public Requests to the Apache server on the private subnet does not work.

wget http://127.0.0.0.1/index.html   => success
# public IP requests
wget http://xxx.x.x.x/index.html   => failure
Connecting to xxx.x.x.x:80...      => hangs

From the NAT host terminal

sudo tcpdump -i any -n port 80
sudo: unable to resolve host ip-10-0-0-71
15:22:17.668089 IP 10.0.10.102.54033 > X.X.X.X.80: Flags [S], seq 848018267, win 26883, options [mss 8961,sackOK,TS val 19553465 ecr 0,nop,wscale 7], length 0
15:22:17.668111 IP 10.0.0.71.54033 > X.X.X.X.80: Flags [S], seq 848018267, win 26883, options [mss 8961,sackOK,TS val 19553465 ecr 0,nop,wscale 7], length 0

What do we need to do so Apache will work from the private subnet?

csi
  • 1,535
  • 7
  • 22
  • 42
  • Is this AWS? If so, did you verify that forwarding is enabled in the kernel and that source/destination checking is disabled? – EEAA Oct 02 '14 at 17:56
  • Are you masquerading on the NAT instance? This post might be useful http://serverfault.com/questions/570386/aws-vpc-iptables-nat-port-forwarding-is-not-working – Andrew Oct 02 '14 at 19:08
  • @EEAA yes this is AWS. Source/destination checking is disabled. Forwarding is enabled in /proc/sys/net/ipv4/ip_forward. Is there somewhere else to check on the forwarding? – csi Oct 03 '14 at 00:35
  • @Andrew `iptables -t nat -A POSTROUTING -j MASQUERADE`. Ping does not work. wget does though. – csi Oct 03 '14 at 01:26
  • Correction: ping does work to external network -> ping google.com. Ping fails to network public ip -> ping X.X.X.X fails – csi Oct 08 '14 at 15:46
  • is apache listening on eth0? – Marcel Oct 08 '14 at 17:07
  • on the App instance in the private subnet, Apache is listening on port 80. It is not listening on the NAT instance. I don't believe it should be, correct? – csi Oct 08 '14 at 17:32
  • 2
    Do you have the needed rules on the NAT device in the filter table's FORWARD chain and the nat table's PREROUTING chain? – Mark Wagner Oct 08 '14 at 18:40
  • I will add above but this rule is enabled. `iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.10.102:80`. Can you explain more about the FORWARD rule or anything that may be wrong with the PREROUTING given? – csi Oct 09 '14 at 00:48
  • @MarkWagner Thank you. Please submit an answer with FORWARD chain so I can award the bounty. My default rules were to DROP forwarded traffic. – csi Oct 09 '14 at 01:22

0 Answers0