Amazon AWS VPC IPTables and NAT route port

Posted on Wednesday, December 12, 2012




This guide assumes you already have a VPC set with a NAT acting as a gateway to a private subnet.

In this example I want to port forward port 2222 from the NAT to port 22 on an instance in the private subnet.





Something like this



SSH into NAT


To accomplish this I am going to us IPtables from within my NAT instance.

My NAT instance has Elastic IP 107.23.145.253

SSH to it


              > ssh -i .ec2/pats-keypair.pem ec2-user@107.23.145.253


The private server is at 10.0.1.30, The internal IP of the nat is 10.0.0.25

Run the following command to update the IP tables to route port 2222 from the NAT to port 22 on the private server


              >  sudo iptables -t nat -I PREROUTING -d 10.0.0.25 -p tcp --dport 2222 -j DNAT --to 10.0.1.30:22






Update security group for NAT























From the VPC click on Security Groups then choose the security group associated with your NAT, in my case it’s the default.  (or you could create a new security group and associate it)






















Click on the Inbound Tag.  Select Custom TCP Rule.  Enter 2222 and click Add Rule.


















Click Apply Rule Changes.

Make sure the port 2222 has been added.  (I had an issue with this, not sure why I did hit apply rule changes)













From outside the system SSH into the system using port 2222 to forward to the system in the private subnet.




              >  ssh -i .ec2/pats-keypair.pem -p 2222 ubuntu@107.23.145.253






That worked

Run


              >   ifconfig -a










Yep this is the correct machine it has internal IP address 10.0.1.30


References
NA











3 comments:

  1. Great, now how do you save it so it doesn't get cleared on reboot?

    ReplyDelete
  2. Great, now how do you save it so it doesn't get cleared on reboot?

    ReplyDelete
  3. @Richard Rowlands: look here - http://serverfault.com/questions/528661/how-to-persist-iptables-configuration-on-amazon-ec2-vpc-nat-ami

    ReplyDelete