AWS nat instance doesn't route to the internet

0

I have a vpc, the vpc has two subnet, one is public to internet (10.20.7.0/24), one is private (10.20.8.0/24). In public subnet, I have a machine use aws commuity ami to create for NAT, in private subnet, I have a rhel instance for some testing, the following ip of nat and rhel as below

NAT: 10.20.7.100

rhel server: 10.20.8.100

when I tried to telnet one of my company web server in port 80 using rhel server, it always shows connection refused, unable connect to the remote host

Here is my NAT server setting

[ec2-user@ip-10-20-7-100 ~]$ sudo iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 9 packets, 460 bytes)
Chain PREROUTING (policy ACCEPT 9 packets, 460 bytes)
pkts bytes target     prot opt in     out     source               destination
1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.20.8.100

Chain INPUT (policy ACCEPT 9 packets, 460 bytes)
pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 9 packets, 640 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
100  6551 MASQUERADE  all  --  *      eth0    10.20.0.0/16         0.0.0.0/0

The iptables service is on

[ec2-user@ip-10-20-7-100 ~]$ chkconfig --list | grep iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Any missing on NAT server and private rhel server, or aws setting? kindly advise!

user2302406

Posted 2016-06-10T17:46:23.787

Reputation: 1

Answers

1

Are you trying to telnet one of your company's web server on the public subnet or on the Internet/corporate network ?

If you are trying to telnet an instance (your web server) within the same VPC and the same subnet.

  • And if the security group of your VPC is not the default, you need to add the rule to allow that security group. (the default security group has this rule by default).

  • Make sure you disable source/destination check.

  • Make sure the routing table for the private subnet has the NAT instance as a default route.

  • Make sure your ACLs are allowing the needed traffic. Check Recommended Network ACL Rules for Your VPC

Algeriassic

Posted 2016-06-10T17:46:23.787

Reputation: 723

Hi Algeriassic, I have created a non default vpc for this testing, I also disable sourcre / destination check on NAT instance, security group and network ACL are all traffic allow, I have set the NAT instance as a default route on private subnet, but it seem i cannot use our rhel server in private subnet to telnet to our company internet webserver through the NAT instance... – user2302406 – 2016-06-11T00:14:23.823

If your security-group ID is sg-0126a56b, you need an inbound rule like: ALL Traffic ALL ALL sg-0126a56b.

Are you able to ssh to your nat instance ? if so, are you telnet-ing from the nat instance or from the other instance on the private subnet ?

Was your nat instance created with Amazon NAT AMI or you just created a regular Linux instance that you want to use as a nat instance ? if so, you need to activate ip forwarding using: echo 1 > /proc/sys/net/ipv4/ip_forward – Algeriassic – 2016-06-15T16:17:10.603

Thank you all guys helping, I solved the problem with the main route table in VPC, I am not sure that is the key point in the main route table, anyway, thanks your helping! – user2302406 – 2016-06-17T04:28:30.490

Asked: 2016-06-10T17:46:23.787

Viewed: 403 times

Active: 2016-06-10T19:16:07.647