Need correct iptable rules for NAT instance to prevent loop back for private subnet EC2 instance outgoing...

Does Windows 10's telemetry include sending *.doc files if Word crashed?

Why is commutativity optional in multiplication for rings?

How to push a box with physics engine by another object?

Using AWS Fargate as web server

If I delete my router's history can my ISP still provide it to my parents?

Which branches of mathematics can be done just in terms of morphisms and composition?

Connecting top and bottom of adjacent circles

Why do members of Congress in committee hearings ask witnesses the same question multiple times?

What is better: yes / no radio, or simple checkbox?

How to prepare vegetables for a sandwich that can last for several days in a fridge?

Could be quantum mechanics necessary to analyze some biology scenarios?

Where is this triangular-shaped space station from?

Why can I easily sing or whistle a tune I've just heard, but not as easily reproduce it on an instrument?

What's the purpose of these copper coils with resitors inside them in A Yamaha RX-V396RDS amplifier?

Sometimes a banana is just a banana

What to do when being responsible for data protection in your lab, yet advice is ignored?

Do commercial flights continue with an engine out?

Why does the DC-9-80 have this cusp in its fuselage?

Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?

Do my Windows system binaries contain sensitive information?

What is the wife of a henpecked husband called?

Predict mars robot position

Wanted: 5.25 floppy to usb adapter

Why do neural networks need so many training examples to perform?



Need correct iptable rules for NAT instance to prevent loop back for private subnet EC2 instance outgoing traffic


Can not access https from my ubuntu EC2 instanceHow to configure traffic from a specific IP hardcoded to an IP to forward to another IP:PORT using iptables?Forward http traffic to another ip address with iptablesIptables stringejabberd on vm not connect to another xmmp server (iptables dnat dport 5269)How to configure port-forwarding to enable internal service accessed by another machine?Config differents external proxy to every VM with iptablesRedirect works from external network, but not internal(dnat|redirect) with masquerade doesn't workiptables port-redirect to proxyNeed help in finding reason behind EC2 instance not able to initiate any outgoing network activity













0















My AWS architecture has a public subnet having a NAT instance. It forwards the traffic on certain ports to my EC2 instance hosted in a separate private subnet.




sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 10.0.1.126:80




But I also need to provide outgoing internet access to my private EC2 instances.




sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j
MASQUERADE




This results in all the request generated by my private EC2 instance to loop back to itself. Which rule needs to be modified to prevent this behaviour and outgoing traffic generated by private EC2 instance are sent without being routed back?



UPDATE: I added destination ip as my public ip for Port 80




sudo iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.xx --dport 80 -j DNAT
--to-destination 10.0.1.126:80




Although my outgoing network call was not looped back but my dns based domain request are not getting passed to my instance.










share|improve this question









New contributor




Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    0















    My AWS architecture has a public subnet having a NAT instance. It forwards the traffic on certain ports to my EC2 instance hosted in a separate private subnet.




    sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
    --to-destination 10.0.1.126:80




    But I also need to provide outgoing internet access to my private EC2 instances.




    sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j
    MASQUERADE




    This results in all the request generated by my private EC2 instance to loop back to itself. Which rule needs to be modified to prevent this behaviour and outgoing traffic generated by private EC2 instance are sent without being routed back?



    UPDATE: I added destination ip as my public ip for Port 80




    sudo iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.xx --dport 80 -j DNAT
    --to-destination 10.0.1.126:80




    Although my outgoing network call was not looped back but my dns based domain request are not getting passed to my instance.










    share|improve this question









    New contributor




    Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      0












      0








      0








      My AWS architecture has a public subnet having a NAT instance. It forwards the traffic on certain ports to my EC2 instance hosted in a separate private subnet.




      sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
      --to-destination 10.0.1.126:80




      But I also need to provide outgoing internet access to my private EC2 instances.




      sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j
      MASQUERADE




      This results in all the request generated by my private EC2 instance to loop back to itself. Which rule needs to be modified to prevent this behaviour and outgoing traffic generated by private EC2 instance are sent without being routed back?



      UPDATE: I added destination ip as my public ip for Port 80




      sudo iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.xx --dport 80 -j DNAT
      --to-destination 10.0.1.126:80




      Although my outgoing network call was not looped back but my dns based domain request are not getting passed to my instance.










      share|improve this question









      New contributor




      Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      My AWS architecture has a public subnet having a NAT instance. It forwards the traffic on certain ports to my EC2 instance hosted in a separate private subnet.




      sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
      --to-destination 10.0.1.126:80




      But I also need to provide outgoing internet access to my private EC2 instances.




      sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j
      MASQUERADE




      This results in all the request generated by my private EC2 instance to loop back to itself. Which rule needs to be modified to prevent this behaviour and outgoing traffic generated by private EC2 instance are sent without being routed back?



      UPDATE: I added destination ip as my public ip for Port 80




      sudo iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.xx --dport 80 -j DNAT
      --to-destination 10.0.1.126:80




      Although my outgoing network call was not looped back but my dns based domain request are not getting passed to my instance.







      iptables routing nat dnat masquerade






      share|improve this question









      New contributor




      Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 7 hours ago







      Debasish Mitra













      New contributor




      Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 13 hours ago









      Debasish MitraDebasish Mitra

      1011




      1011




      New contributor




      Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Your PREROUTING must exclude the local traffic, i.e.



          iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80


          Note the exclamation mark before source: ! --source 10.0.1.0/24. That ensures that the rule is only evaluated for traffic coming from outside.



          Hope that helps :)






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "2"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });






            Debasish Mitra is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956522%2fneed-correct-iptable-rules-for-nat-instance-to-prevent-loop-back-for-private-sub%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Your PREROUTING must exclude the local traffic, i.e.



            iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80


            Note the exclamation mark before source: ! --source 10.0.1.0/24. That ensures that the rule is only evaluated for traffic coming from outside.



            Hope that helps :)






            share|improve this answer




























              0














              Your PREROUTING must exclude the local traffic, i.e.



              iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80


              Note the exclamation mark before source: ! --source 10.0.1.0/24. That ensures that the rule is only evaluated for traffic coming from outside.



              Hope that helps :)






              share|improve this answer


























                0












                0








                0







                Your PREROUTING must exclude the local traffic, i.e.



                iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80


                Note the exclamation mark before source: ! --source 10.0.1.0/24. That ensures that the rule is only evaluated for traffic coming from outside.



                Hope that helps :)






                share|improve this answer













                Your PREROUTING must exclude the local traffic, i.e.



                iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80


                Note the exclamation mark before source: ! --source 10.0.1.0/24. That ensures that the rule is only evaluated for traffic coming from outside.



                Hope that helps :)







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 6 hours ago









                MLuMLu

                8,66712142




                8,66712142






















                    Debasish Mitra is a new contributor. Be nice, and check out our Code of Conduct.










                    draft saved

                    draft discarded


















                    Debasish Mitra is a new contributor. Be nice, and check out our Code of Conduct.













                    Debasish Mitra is a new contributor. Be nice, and check out our Code of Conduct.












                    Debasish Mitra is a new contributor. Be nice, and check out our Code of Conduct.
















                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956522%2fneed-correct-iptable-rules-for-nat-instance-to-prevent-loop-back-for-private-sub%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    As a Security Precaution, the user account has been locked The Next CEO of Stack OverflowMS...

                    Список ссавців Італії Природоохоронні статуси | Список |...

                    Українські прізвища Зміст Історичні відомості |...