5

My brain is a little bit fried trying to figure this out but I can't seem to get private subnets to connect to the internet to grab updates for example. Basically all I want is web access for these servers. I have tried solutions found in other posts but could easily be missing something since I have been looking at this for quite awhile.

So far I have done the following set up:

  • Disable source/destination checking on my NAT instance
  • Create a route table for public subnet and set its source to IGW (verified this works)
  • Create a route table for private subnet and set its source to the NAT instance
  • Create security group for NAT instance with inbound and outbound rules for 80/443 and ssh
  • Create security group for private instance with inbound and outbound 80/443 and ssh

I am able to jump on the NAT instance via SSH and then pivot onto the private server, so I know that much is working. I have verified my rules by pinging internal addresses but when I leave the local network that is when I start having problems.

Where do I need to look or what do I need to troubleshoot to help get this narrowed down? Is there some configuration that needs to be done on the NAT instance that I have overlooked?

EDIT: Configuration update

  • VPC: 172.16.0.0./16
  • Private subnet: 172.16.1.0/24
  • Public subnet: 172.16.0.0/24

Private subnet routing table:

Points to NAT instance in public subnet. Unable to access internet, attached EIP to public internet facing interface.

private vpc

Public subnet routing table:

Points the public subnet at the IGW, I have verified internet access.

enter image description here

Thoughts:

I'm starting to think there is something that needs to be set up or created on the NAT instance that lives in the public subnet to forward traffic from private instances, but I'm not exactly sure what needs to added. I found this post that explains adding a masquerade rule in iptables, is that something that apply to my situation?

Community
  • 1
jmreicha
  • 791
  • 1
  • 16
  • 29
  • What subnet is your NAT in? Is it in a public subnet? Can you post some screenshots of your route tables? – Matt Houser Nov 25 '14 at 14:14
  • 1
    I don't think so. His initial post can mean just anything, considering that the task is simple and he gave absolutely no info about his topology. – drookie Nov 25 '14 at 14:16
  • @drookie what information do I need to add to make it more clear? – jmreicha Nov 25 '14 at 15:30
  • @MattHouser I will update the original question with subnets and routes. Thanks. – jmreicha Nov 25 '14 at 15:31
  • You are descibing your network in some peculiar way that prevents people from understanding, from my point of view. Try to desribe it in terms "I have network devices that are attached to the network" (though this part seems evident) and "I have a router that runs <...>". The tables you are posting here just add more questions. How many devices do you have ? What are those routing tables ? Do the client devices share one table ? Does the router have two FIBs, or does it have one ? – drookie Nov 25 '14 at 16:35
  • The irony is, your original post probably has a simple answer: your NAT instance is misconfigured. But to understand this, some information is needed. And things become complicated as you start to describe them. – drookie Nov 25 '14 at 16:39

3 Answers3

3

yes, you must have iptables masquerading set up on the nat host.

iptables -A POSTROUTING -t nat -s (private-subnet/cidr) -j MASQUERADE

we have the same set up, you've done everything else correctly (disable source check, point private subnet to the interface of the nat instance, point public subnet to the igw).

Sirex
  • 5,447
  • 2
  • 32
  • 54
  • What is the dnat rule doing? Everything seems to work with masquerading but it looks like dnat is important? Everything is working so far, thanks! – jmreicha Nov 25 '14 at 21:45
  • masquerading is saying 'let traffic from the private subnet go to the internet as if from me' and the dnat is saying 'traffic arrving from the internet to my port 80 should go to the private subnet machines port 80'.... – Sirex Nov 25 '14 at 21:55
  • and rereading your question, that wasn't what you wanted ! Yeah, don't do that. I thought your question was saying you wanted port 80 redirected (which'd be odd as its a private subnet machine but i chalked that up as a weird requirement), but its actually saying that's just something you tried in efforts to get them online (which wont work, as it actually does a function as per my previous comment). Yeah, you won't need port 80 or 443 open in the security groups of either subnet or instance inbound-wise, as you're not *hosting* a website, you just want net access. – Sirex Nov 25 '14 at 21:57
  • Thanks for clearing that up, I'll clean up the question so its not confusing if anybody else runs across this. Thanks again! – jmreicha Nov 25 '14 at 22:44
1

Just stumbled across this having a similar problem. Assuming you used the wizard to create the NAT instance, the masquerade rule mentioned above would already be there - this is only something you need to add if you're going to "roll your own" NAT instance. (I usually do that so I can double-up on this and also make it an OpenSWAN L2TP/IPSec remote user VPN server).

What I had forgotten to add since the last time I created one of these, were rules which allow all traffic (or at least what you want to allow) from all private security groups or subnets which will route traffic via the NAT instance. The NAT instance will not accept such outbound traffic without rules to allow it - don't just think about what's coming in from the Internet to get to it. Not sure if that's your issue, as you did mention adding 22/80/443 to your NAT security group, but thought I'd suggest this for others who might have a similar problem.

MJC
  • 51
  • 4
1

I battled with this for a while, until I found this:

Then, launch an instance into your public subnet from an AMI that's been configured to run as a NAT instance. Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string amzn-ami-vpc-nat in their names, so you can search for them in the Amazon EC2 console.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#NATInstance

I had set up the NAT server as my own standard (Ubuntu) instance, once I used the Amazon Linux AMI and updated my routing tables it started working.

JimmyDix
  • 11
  • 1