I'm trying to prototype something in AWS VPC/EC2, but I can't get my NAT rules to work. I have the following setup (all instances running the Amazon Linux AMI):
- GRE Tunnel between instances 10.0.0.10 and 10.1.0.10
- instance 10.0.0.10 is using 10.0.1.20 as a gateway to 10.1.0.10
- I want 10.0.1.20 to masquerade traffic from 10.0.0.10
NAT-ing seems to work as expected for everything but GRE traffic:
10.0.0.10] ping -c 1 10.1.0.10
On the gateway (10.0.1.20) tcpdump reveals that this is being NAT'd as expected:
10.0.1.20] tcpdump -i eth0
IP 10.0.0.10 > 10.1.0.10: ICMP echo request, id 30493, seq 1, length 64
IP 10.0.1.20 > 10.1.0.10: ICMP echo request, id 30493, seq 1, length 64
However, if I ping inside the GRE tunnel, the traffic is forwarded with no NAT-ing done:
10.0.0.10] ping -c 1 10.2.0.10 # 10.2/16 is routed through the GRE tunnel
------
10.0.1.20] tcpdump -i eth0
IP 10.0.0.10 > 10.1.0.10: GREv0, length 88: IP 10.0.0.10 > 10.2.0.10: ICMP echo request, id 30237, seq 1, length 64
IP 10.0.0.10 > 10.1.0.10: GREv0, length 88: IP 10.0.0.10 > 10.2.0.10: ICMP echo request, id 30237, seq 1, length 64
My iptable rules are extremely simple; just a single NAT POSTROUTING rule:
10.0.1.20] sudo iptables -v -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT 6 packets, 411 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any any 10.0.0.10 10.1.0.10
Looking at the iptables packet counters, when I ping outside the GRE tunnel, I can see the NAT pre/post-routing counters increment along with the filter table's forward counter. When I ping through the GRE tunnel, I only see the filter forward counter increment. Likewise, conntrack -L shows an entry for the outside ping and no entry for the inside ping.
