Otdfbt

Multi tool use

Make Gimbap cutter

Does the Nuka-Cola bottler actually generate nuka cola?

Why ambiguous grammars are bad?

noalign caused by multirow and colors

Extracting data from Plot

Proving that a Russian cryptographic standard is too structured

Who is "He that flies" in Lord of the Rings?

To what extent do precedents in Westminster systems apply in other countries that use it?

bash vs. zsh: What are the practical differences?

The significance of kelvin as a unit of absolute temperature

How to befriend someone who doesn't like to talk?

So a part of my house disappeared... But not because of a chunk resetting

Does a (nice) centerless group always have a centerless profinite completion?

How do we say "within a kilometer radius spherically"?

Why isn't Bash trap working if output is redirected to stdout?

Canada travel to US using Global Entry

Do empty drive bays need to be filled?

What is the reason for setting flaps 1 on the ground at high temperatures?

Why do radiation hardened IC packages often have long leads?

That's not my X, its Y is too Z

Grep Match and extract

What plausible reason could I give for my FTL drive only working in space

What do you call the action of "describing events as they happen" like sports anchors do?

The origin of the Russian proverb about two hares

firewalld configuration to make EC2 Amazon Linux 2 a NAT

How to configure a custom NAT for use in Amazon VPCCentOS iptables NAT, client cannot connect to WAN from LANAmazon VPC NAT not workingMake CentOS 6.x a port forwarding NAT deviceNAT doesnt work on CentOS 7(Firewalld)CentOS 7 firewall-cmd not foundAmazon Linux - iptables NAT rules not matching GRE trafficSetting up NAT with firewalld on Centos 7ssh port forwarding with firewall-cmdfirewalld port forwarding not working in centOSNeed correct iptable rules for NAT instance to prevent loop back for private subnet EC2 instance outgoing trafficLinux firewalld - I can hit port 4506, but my configuration shouldn't let me

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

1

Short question:

I'm trying to configure my own NAT instance on AWS, starting with a standard AWS Linux 2 instance, and it seems the new "right" way to configure things is with firewalld instead of iptables, so I'm looking for the equivalent to the answer to this question, but with firewalld.

Longer description:

I'm 99% sure I have my VPC, subnets, and routing tables configured correctly. On the ec2 instance, I've enabled IP4 forwarding, disabled ICMP forwarding, and disabled source/destination check.

I believe the only step I'm missing is that the old, community NAT Instance AMIs run a script on startup that does this:

(iptables -t nat -C POSTROUTING -o eth0 -s $VPC_CIDR_RANGE -j MASQUERADE 2> /dev/null ||
 iptables -t nat -A POSTROUTING -o eth0 -s $VPC_CIDR_RANGE -j MASQUERADE ) ||
 die

Based on this how-to, I'm attempting to replicate the same functionality with firewalld, and I've done

firewall-cmd --zone=internal --add-source=10.0.4.0/22
firewall-cmd --zone=external --add-interface=eth0
firewall-cmd --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.4.0/22

I've also attempted to allow ping for testing purposes, with

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

I can successfully ssh to the NAT Instance, I can ping the outside world from it, and I can ping it from the private subnet, but I can't ping the outside world from the private subnet. I suspect there's something wrong with my understanding of firewalld works when there's only one PHY (eth0), but ... I'm stuck. So,

a) is my base assumption that I should be using firewalld instead of iptables correct?
b) if so, how do I get NAT working with it on a single interface?

Thanks!

amazon-ec2 nat firewalld

share|improve this question

asked May 27 at 6:05

philolegeinphilolegein

134

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  serverfault.com/a/939478/126632
  
  – Michael Hampton♦
  May 27 at 6:29
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  a) cool. But b) those instructions say "You also need to assign the internal interface to a different zone other than public. But there's only one interface. Do I assign it to "internal"?
  
  – philolegein
  May 27 at 7:01
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Having a zone defined from a source ought to be OK, but you really should have two interfaces, one on a separate private network. Otherwise nothing prevents all your other instances from accessing the Internet directly.
  
  – Michael Hampton♦
  May 27 at 7:05
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  FYI, I've confirmed this works. Thanks!
  
  – philolegein
  May 27 at 13:35
  

  
  
  
  

add a comment | 

1

Short question:

I'm trying to configure my own NAT instance on AWS, starting with a standard AWS Linux 2 instance, and it seems the new "right" way to configure things is with firewalld instead of iptables, so I'm looking for the equivalent to the answer to this question, but with firewalld.

Longer description:

I'm 99% sure I have my VPC, subnets, and routing tables configured correctly. On the ec2 instance, I've enabled IP4 forwarding, disabled ICMP forwarding, and disabled source/destination check.

I believe the only step I'm missing is that the old, community NAT Instance AMIs run a script on startup that does this:

(iptables -t nat -C POSTROUTING -o eth0 -s $VPC_CIDR_RANGE -j MASQUERADE 2> /dev/null ||
 iptables -t nat -A POSTROUTING -o eth0 -s $VPC_CIDR_RANGE -j MASQUERADE ) ||
 die

Based on this how-to, I'm attempting to replicate the same functionality with firewalld, and I've done

firewall-cmd --zone=internal --add-source=10.0.4.0/22
firewall-cmd --zone=external --add-interface=eth0
firewall-cmd --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.4.0/22

I've also attempted to allow ping for testing purposes, with

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

I can successfully ssh to the NAT Instance, I can ping the outside world from it, and I can ping it from the private subnet, but I can't ping the outside world from the private subnet. I suspect there's something wrong with my understanding of firewalld works when there's only one PHY (eth0), but ... I'm stuck. So,

a) is my base assumption that I should be using firewalld instead of iptables correct?
b) if so, how do I get NAT working with it on a single interface?

Thanks!

amazon-ec2 nat firewalld

share|improve this question

asked May 27 at 6:05

philolegeinphilolegein

134

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  serverfault.com/a/939478/126632
  
  – Michael Hampton♦
  May 27 at 6:29
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  a) cool. But b) those instructions say "You also need to assign the internal interface to a different zone other than public. But there's only one interface. Do I assign it to "internal"?
  
  – philolegein
  May 27 at 7:01
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Having a zone defined from a source ought to be OK, but you really should have two interfaces, one on a separate private network. Otherwise nothing prevents all your other instances from accessing the Internet directly.
  
  – Michael Hampton♦
  May 27 at 7:05
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  FYI, I've confirmed this works. Thanks!
  
  – philolegein
  May 27 at 13:35
  

  
  
  
  

add a comment | 

Short question:

I'm trying to configure my own NAT instance on AWS, starting with a standard AWS Linux 2 instance, and it seems the new "right" way to configure things is with firewalld instead of iptables, so I'm looking for the equivalent to the answer to this question, but with firewalld.

Longer description:

I'm 99% sure I have my VPC, subnets, and routing tables configured correctly. On the ec2 instance, I've enabled IP4 forwarding, disabled ICMP forwarding, and disabled source/destination check.

I believe the only step I'm missing is that the old, community NAT Instance AMIs run a script on startup that does this:

(iptables -t nat -C POSTROUTING -o eth0 -s $VPC_CIDR_RANGE -j MASQUERADE 2> /dev/null ||
 iptables -t nat -A POSTROUTING -o eth0 -s $VPC_CIDR_RANGE -j MASQUERADE ) ||
 die

Based on this how-to, I'm attempting to replicate the same functionality with firewalld, and I've done

firewall-cmd --zone=internal --add-source=10.0.4.0/22
firewall-cmd --zone=external --add-interface=eth0
firewall-cmd --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.4.0/22

I've also attempted to allow ping for testing purposes, with

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

I can successfully ssh to the NAT Instance, I can ping the outside world from it, and I can ping it from the private subnet, but I can't ping the outside world from the private subnet. I suspect there's something wrong with my understanding of firewalld works when there's only one PHY (eth0), but ... I'm stuck. So,

a) is my base assumption that I should be using firewalld instead of iptables correct?
b) if so, how do I get NAT working with it on a single interface?

Thanks!

amazon-ec2 nat firewalld

share|improve this question

asked May 27 at 6:05

philolegeinphilolegein

134

(iptables -t nat -C POSTROUTING -o eth0 -s $VPC_CIDR_RANGE -j MASQUERADE 2> /dev/null ||
 iptables -t nat -A POSTROUTING -o eth0 -s $VPC_CIDR_RANGE -j MASQUERADE ) ||
 die

firewall-cmd --zone=internal --add-source=10.0.4.0/22
firewall-cmd --zone=external --add-interface=eth0
firewall-cmd --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.4.0/22

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

share|improve this question

asked May 27 at 6:05

philolegeinphilolegein

134

share|improve this question

asked May 27 at 6:05

philolegeinphilolegein

134

asked May 27 at 6:05

philolegeinphilolegein

134

asked May 27 at 6:05

philolegeinphilolegein

134

1 Answer
1

active

oldest

votes

1

On EC2 you need, besides proper iptable/nftable setup, to make sure that source destination checks are disabled on EC2 level.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

share|improve this answer

answered May 27 at 7:15

harguthargut

1,80717

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968931%2ffirewalld-configuration-to-make-ec2-amazon-linux-2-a-nat%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

On EC2 you need, besides proper iptable/nftable setup, to make sure that source destination checks are disabled on EC2 level.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

share|improve this answer

answered May 27 at 7:15

harguthargut

1,80717

add a comment | 

1

On EC2 you need, besides proper iptable/nftable setup, to make sure that source destination checks are disabled on EC2 level.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

share|improve this answer

answered May 27 at 7:15

harguthargut

1,80717

add a comment | 

On EC2 you need, besides proper iptable/nftable setup, to make sure that source destination checks are disabled on EC2 level.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

share|improve this answer

answered May 27 at 7:15

harguthargut

1,80717

share|improve this answer

answered May 27 at 7:15

harguthargut

1,80717

answered May 27 at 7:15

harguthargut

1,80717

answered May 27 at 7:15

harguthargut

1,80717