Configuring Custom NAT Instance in AWS VPC: Ubuntu IP Forwarding and Routing Setup


2 views

When creating a custom NAT instance in AWS VPC, there are several critical components that need proper configuration:

# Enable IP forwarding (required for NAT)
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make it persistent across reboots
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

Your Ubuntu NAT instance should have two network interfaces:

  • eth0: Public interface with Elastic IP
  • eth1: Private interface for VPC communication

The MASQUERADE rule you attempted needs adjustment:

# Clear existing rules
iptables -t nat -F
iptables -t nat -X

# Set up NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

The route commands you used need modification:

# On NAT instance (10.200.0.51):
ip route add 10.200.10.0/24 via 10.200.0.51 dev eth1

# On private instance (10.200.10.41):
ip route add default via 10.200.0.51 dev eth0

Don't forget these AWS-specific settings:

  1. Disable Source/Destination Check on NAT instance
  2. Proper security group rules for both inbound and outbound traffic
  3. Route table updates in VPC configuration

Use these commands to diagnose connectivity problems:

# Check NAT translation
sudo iptables -t nat -L -n -v

# Verify routing
ip route show table main

# Test connectivity
traceroute 8.8.8.8
tcptraceroute 8.8.8.8 53

For complex setups, consider using network namespaces:

# Create namespace
ip netns add nat-ns

# Move interface to namespace
ip link set eth1 netns nat-ns

# Configure NAT inside namespace
ip netns exec nat-ns iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

When configuring a custom NAT instance in AWS VPC, you need to consider several architectural differences from traditional networking:

  • Source/destination checks must be disabled on the NAT instance
  • Proper security group rules must allow traffic flow
  • VPC route tables need to point private subnets to the NAT instance
# Disable source/destination checks (AWS-specific requirement)
aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 --no-source-dest-check

# Enable IP forwarding at kernel level
echo 1 > /proc/sys/net/ipv4/ip_forward

The MASQUERADE rule you tried is correct, but needs additional context:

# Flush existing rules
iptables -t nat -F

# Set up masquerade for outbound traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allow established connections
iptables -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow new outbound connections
iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT

In the AWS VPC console, ensure your private subnet's route table has:

Destination: 0.0.0.0/0
Target: Instance ID of your NAT instance (e.g., i-1234567890abcdef0)

When private instances lose connection after routing changes:

  1. Verify security groups allow SSH/ICMP from NAT to private instances
  2. Check VPC network ACLs aren't blocking traffic
  3. Test basic connectivity: 
    # From NAT instance:
ping 10.200.10.41
traceroute 10.200.10.41

# From private instance:
ping 10.200.0.51
curl ifconfig.me

To make settings survive reboots:

# Add to /etc/sysctl.conf:
net.ipv4.ip_forward=1

# Save iptables rules (Ubuntu):
apt-get install iptables-persistent
netfilter-persistent save