Ryfujk

Dilemma of explaining to interviewer that he is the reason for declining second interview

Obtaining a matrix of complex values from associations giving the real and imaginary parts of each element?

Why do members of Congress in committee hearings ask witnesses the same question multiple times?

Meth dealer reference in Family Guy

Why can I easily sing or whistle a tune I've just heard, but not as easily reproduce it on an instrument?

What's a good word to describe a public place that looks like it wouldn't be rough?

raspberry pi change directory (cd) command not working with USB drive

Why is c4 a better move in this position?

For Loop and Sum

On what did Lego base the appearance of the new Hogwarts minifigs?

Where was Karl Mordo in Infinity War?

A Wacky, Wacky Chessboard (That Makes No Sense)

Proof by Induction - New to proofs

Why didn't Eru and/or the Valar intervene when Sauron corrupted Númenor?

Crystal compensation for temp and voltage

How can I mix up weapons for large groups of similar monsters/characters?

Is the theory of the category of topological spaces computable?

If I delete my router's history can my ISP still provide it to my parents?

How do Japanese speakers determine the implied topic when none has been mentioned?

How Should I Define/Declare String Constants

Which aircraft had such a luxurious-looking navigator's station?

What is Crew Dragon approaching in this picture?

How should I state my MS degree in my CV when it was in practice a joint-program?

Yeshiva University RIETS Semicha Yorei and Yadin

Need correct iptable rules for NAT instance to prevent loop back for private subnet EC2 instance outgoing traffic

Can not access https from my ubuntu EC2 instanceHow to configure traffic from a specific IP hardcoded to an IP to forward to another IP:PORT using iptables?Forward http traffic to another ip address with iptablesIptables stringejabberd on vm not connect to another xmmp server (iptables dnat dport 5269)How to configure port-forwarding to enable internal service accessed by another machine?Config differents external proxy to every VM with iptablesRedirect works from external network, but not internal(dnat|redirect) with masquerade doesn't workiptables port-redirect to proxyNeed help in finding reason behind EC2 instance not able to initiate any outgoing network activity

0

My AWS architecture has a public subnet having a NAT instance. It forwards the traffic on certain ports to my EC2 instance hosted in a separate private subnet.

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 10.0.1.126:80

But I also need to provide outgoing internet access to my private EC2 instances.

sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j
MASQUERADE

This results in all the request generated by my private EC2 instance to loop back to itself. Which rule needs to be modified to prevent this behaviour and outgoing traffic generated by private EC2 instance are sent without being routed back?

UPDATE: I added destination ip as my public ip for Port 80

sudo iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.xx --dport 80 -j DNAT
--to-destination 10.0.1.126:80

Although my outgoing network call was not looped back but my dns based domain request are not getting passed to my instance.

iptables routing nat dnat masquerade

share|improve this question

edited 10 hours ago

Debasish Mitra

asked 16 hours ago

Debasish MitraDebasish Mitra

1052

New contributor

Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

My AWS architecture has a public subnet having a NAT instance. It forwards the traffic on certain ports to my EC2 instance hosted in a separate private subnet.

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 10.0.1.126:80

But I also need to provide outgoing internet access to my private EC2 instances.

sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j
MASQUERADE

This results in all the request generated by my private EC2 instance to loop back to itself. Which rule needs to be modified to prevent this behaviour and outgoing traffic generated by private EC2 instance are sent without being routed back?

UPDATE: I added destination ip as my public ip for Port 80

sudo iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.xx --dport 80 -j DNAT
--to-destination 10.0.1.126:80

Although my outgoing network call was not looped back but my dns based domain request are not getting passed to my instance.

iptables routing nat dnat masquerade

share|improve this question

edited 10 hours ago

Debasish Mitra

asked 16 hours ago

Debasish MitraDebasish Mitra

1052

New contributor

Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

My AWS architecture has a public subnet having a NAT instance. It forwards the traffic on certain ports to my EC2 instance hosted in a separate private subnet.

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 10.0.1.126:80

But I also need to provide outgoing internet access to my private EC2 instances.

sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j
MASQUERADE

This results in all the request generated by my private EC2 instance to loop back to itself. Which rule needs to be modified to prevent this behaviour and outgoing traffic generated by private EC2 instance are sent without being routed back?

UPDATE: I added destination ip as my public ip for Port 80

sudo iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.xx --dport 80 -j DNAT
--to-destination 10.0.1.126:80

Although my outgoing network call was not looped back but my dns based domain request are not getting passed to my instance.

iptables routing nat dnat masquerade

share|improve this question

edited 10 hours ago

Debasish Mitra

asked 16 hours ago

Debasish MitraDebasish Mitra

1052

New contributor

Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 10 hours ago

Debasish Mitra

asked 16 hours ago

Debasish MitraDebasish Mitra

1052

New contributor

Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 10 hours ago

Debasish Mitra

asked 16 hours ago

Debasish MitraDebasish Mitra

1052

New contributor

Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 16 hours ago

Debasish MitraDebasish Mitra

1052

New contributor

Debasish Mitra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 16 hours ago

Debasish MitraDebasish Mitra

1052

1 Answer
1

active

oldest

votes

0

Your PREROUTING must exclude the local traffic, i.e.

iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80

Note the exclamation mark before source: ! --source 10.0.1.0/24. That ensures that the rule is only evaluated for traffic coming from outside.

Hope that helps :)

share|improve this answer

answered 8 hours ago

MLuMLu

8,70712142

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Debasish Mitra is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956522%2fneed-correct-iptable-rules-for-nat-instance-to-prevent-loop-back-for-private-sub%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Your PREROUTING must exclude the local traffic, i.e.

iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80

Note the exclamation mark before source: ! --source 10.0.1.0/24. That ensures that the rule is only evaluated for traffic coming from outside.

Hope that helps :)

share|improve this answer

answered 8 hours ago

MLuMLu

8,70712142

add a comment | 

0

Your PREROUTING must exclude the local traffic, i.e.

iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80

Note the exclamation mark before source: ! --source 10.0.1.0/24. That ensures that the rule is only evaluated for traffic coming from outside.

Hope that helps :)

share|improve this answer

answered 8 hours ago

MLuMLu

8,70712142

add a comment | 

Your PREROUTING must exclude the local traffic, i.e.

iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80

Note the exclamation mark before source: ! --source 10.0.1.0/24. That ensures that the rule is only evaluated for traffic coming from outside.

Hope that helps :)

share|improve this answer

answered 8 hours ago

MLuMLu

8,70712142

iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80

share|improve this answer

answered 8 hours ago

MLuMLu

8,70712142

answered 8 hours ago

MLuMLu

8,70712142

answered 8 hours ago

MLuMLu

8,70712142