login to EC2 shows the IP of my NAT instance instead of my private IP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
We have a NAT instance with private and public subnet, and created a tunneling connection from our office network to the NAT instance so we can access EC2s resources in AWS. The connection is working, but my EC2 instances shows the last login/current IP logged-in is from my NAT instance private IP instead of the remote private IP
here's the diagram
OFFICE ------tunnel------- NAT INSTANCE ----private subnet
|___public subnet
this is the message shows in one of our EC2 instance in private subnet
login as: ec2-user
...
Last login: Thu Jan 31 12:12:12 2019 from 172.20.0.10
#w
USER TTY FROM
ec2-user pts/0 172.20.0.10
unlike from the NAT instance message, and also our other previous AWS setup(diff account) it shows like this
Last login: Thu Jan 31 12:12:12 2019 from 192.168.1.123
#w
USER TTY FROM
ec2-user pts/0 192.168.1.123
seems like the connection is stopping from the NAT instance and it acts like bastion/jump server.
my aws VPC is 172.20.0.0
NAT instace ip is 172.20.0.10
our private IP is 192.168.0.0
tunnel ip for both nat instance and our router 172.16.1.1 and 172.16.1.1
other things, we followed the procedure on creating NAT instance as provided by AWS on their docs, all routing are configured correctly. We already have 4 previous setup like this and we made sure that all has identical configuration.
Is it possible that the NAT instance is disabling the source connection IP even if we already disabled the "Source/Destination Check" of the nat instance? im not sure where to look at since we made sure this has the same setup with our previous ones
networking nat amazon-web-services
add a comment |
We have a NAT instance with private and public subnet, and created a tunneling connection from our office network to the NAT instance so we can access EC2s resources in AWS. The connection is working, but my EC2 instances shows the last login/current IP logged-in is from my NAT instance private IP instead of the remote private IP
here's the diagram
OFFICE ------tunnel------- NAT INSTANCE ----private subnet
|___public subnet
this is the message shows in one of our EC2 instance in private subnet
login as: ec2-user
...
Last login: Thu Jan 31 12:12:12 2019 from 172.20.0.10
#w
USER TTY FROM
ec2-user pts/0 172.20.0.10
unlike from the NAT instance message, and also our other previous AWS setup(diff account) it shows like this
Last login: Thu Jan 31 12:12:12 2019 from 192.168.1.123
#w
USER TTY FROM
ec2-user pts/0 192.168.1.123
seems like the connection is stopping from the NAT instance and it acts like bastion/jump server.
my aws VPC is 172.20.0.0
NAT instace ip is 172.20.0.10
our private IP is 192.168.0.0
tunnel ip for both nat instance and our router 172.16.1.1 and 172.16.1.1
other things, we followed the procedure on creating NAT instance as provided by AWS on their docs, all routing are configured correctly. We already have 4 previous setup like this and we made sure that all has identical configuration.
Is it possible that the NAT instance is disabling the source connection IP even if we already disabled the "Source/Destination Check" of the nat instance? im not sure where to look at since we made sure this has the same setup with our previous ones
networking nat amazon-web-services
add a comment |
We have a NAT instance with private and public subnet, and created a tunneling connection from our office network to the NAT instance so we can access EC2s resources in AWS. The connection is working, but my EC2 instances shows the last login/current IP logged-in is from my NAT instance private IP instead of the remote private IP
here's the diagram
OFFICE ------tunnel------- NAT INSTANCE ----private subnet
|___public subnet
this is the message shows in one of our EC2 instance in private subnet
login as: ec2-user
...
Last login: Thu Jan 31 12:12:12 2019 from 172.20.0.10
#w
USER TTY FROM
ec2-user pts/0 172.20.0.10
unlike from the NAT instance message, and also our other previous AWS setup(diff account) it shows like this
Last login: Thu Jan 31 12:12:12 2019 from 192.168.1.123
#w
USER TTY FROM
ec2-user pts/0 192.168.1.123
seems like the connection is stopping from the NAT instance and it acts like bastion/jump server.
my aws VPC is 172.20.0.0
NAT instace ip is 172.20.0.10
our private IP is 192.168.0.0
tunnel ip for both nat instance and our router 172.16.1.1 and 172.16.1.1
other things, we followed the procedure on creating NAT instance as provided by AWS on their docs, all routing are configured correctly. We already have 4 previous setup like this and we made sure that all has identical configuration.
Is it possible that the NAT instance is disabling the source connection IP even if we already disabled the "Source/Destination Check" of the nat instance? im not sure where to look at since we made sure this has the same setup with our previous ones
networking nat amazon-web-services
We have a NAT instance with private and public subnet, and created a tunneling connection from our office network to the NAT instance so we can access EC2s resources in AWS. The connection is working, but my EC2 instances shows the last login/current IP logged-in is from my NAT instance private IP instead of the remote private IP
here's the diagram
OFFICE ------tunnel------- NAT INSTANCE ----private subnet
|___public subnet
this is the message shows in one of our EC2 instance in private subnet
login as: ec2-user
...
Last login: Thu Jan 31 12:12:12 2019 from 172.20.0.10
#w
USER TTY FROM
ec2-user pts/0 172.20.0.10
unlike from the NAT instance message, and also our other previous AWS setup(diff account) it shows like this
Last login: Thu Jan 31 12:12:12 2019 from 192.168.1.123
#w
USER TTY FROM
ec2-user pts/0 192.168.1.123
seems like the connection is stopping from the NAT instance and it acts like bastion/jump server.
my aws VPC is 172.20.0.0
NAT instace ip is 172.20.0.10
our private IP is 192.168.0.0
tunnel ip for both nat instance and our router 172.16.1.1 and 172.16.1.1
other things, we followed the procedure on creating NAT instance as provided by AWS on their docs, all routing are configured correctly. We already have 4 previous setup like this and we made sure that all has identical configuration.
Is it possible that the NAT instance is disabling the source connection IP even if we already disabled the "Source/Destination Check" of the nat instance? im not sure where to look at since we made sure this has the same setup with our previous ones
networking nat amazon-web-services
networking nat amazon-web-services
edited Feb 8 at 7:22
SpeakerPerez
asked Jan 31 at 6:01
SpeakerPerezSpeakerPerez
12
12
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
NAT instances are used to allow EC2 instances in a private subnet to reach the internet, without letting internet resources reach the private subnet instances. Your description above doesn't sound quite right. You could mean you have a bastion host or a VPN to your on-premise systems. I guess you could use a NAT instance in both directions, but it's not the way it's meant to be used. Typically you should use a bastion host for incoming connections.
If a connection goes via any kind of proxy then the proxy IP will be the one that the receiver sees. Properly configured proxies sometimes add the X-Forwarded-For header, which can give the IP of the original requester. I don't think either bastions or NAT instances add it, but elastic load balancers do.
I suggest you investigate what your setup is, then edit your question to clarify your configuration and the problem you're having. Once you've done that, if you comment on my answer I may be able to provide more help.
Update
Based on your updated description, I believe things are working as they should.
Thanks for your feedback Tim, i updated my question with additional info about our setup. I also put in to consideration that maybe our NAT instance is doing a translating all the incoming traffic from our remote office to use it's IP as a source.
– SpeakerPerez
Feb 7 at 2:44
I think things are working as they should. You connect to this NAT server, that NAT server connects to your instance, and the instance shows the NAT server IP.
– Tim
Feb 7 at 18:23
Hi Tim. I think i was able to find a "solution". I created a separate aws account and tried to replicate the setup, still shows the NAT server IP. And then i tried to use the older version of NAT instance AMI (version 2015.3) and it worked. Instances in my VPC are now showing the private IP of the remote users (last login from 192.168.x.x). Now i'm wondering if there's something in the newer version of NAT instance AMI configuration where i can change this kind of settings. Or perhaps we'll stick to the older version of NAT instance AMI.
– SpeakerPerez
Feb 8 at 2:19
I still think it's a bit odd. If you go via another server, the from address will change. Could even be a bug in the older AMI. But if it works for you, great, go for it.
– Tim
Feb 8 at 8:06
add a comment |
Ok i think i found another way to modify the newer version of NAT instance AMI. Something like IP masquerading/post-routing is changing the source IP whenever I connect to my other instances via tunnel. So I compared the iptables of older and newer version of NAT instance AMI and i found this
version amzn-ami-vpc-nat-hvm-2015.03.0.x86_64-ebs - ami-1a9dac48
[root@nat-instance ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 23 packets, 1315 bytes)
num pkts bytes target prot opt in out source destination
1 3745 225 MASQUERADE all -- * eth0 (public subnet /16) 0.0.0.0/0
version amzn-ami-vpc-nat-hvm-2018.03.0.20181116-x86_64-ebs - ami-01514bb1776d5c018
[root@another-nat ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 216 14157 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
so what I did was, I added another rule and deleted the current one. Perhaps it will work and it did.
#iptables -t nat -A POSTROUTING -o eth0 -s 172.20.0.0/16 -j MASQUERADE //adding
#iptables -t nat -D POSTROUTING 1 //deleting the previous one
#iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes)
num pkts bytes target prot opt in out source destination
1 2 168 MASQUERADE all -- * eth0 172.20.0.0/16 0.0.0.0/0
Sample results. Accessing both instances with their private IP, from office network
instance in public subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
instance in private subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
yep, pretty much it achieved my goal and i don't have to change my NAT instance version entirely.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1400395%2flogin-to-ec2-shows-the-ip-of-my-nat-instance-instead-of-my-private-ip%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
NAT instances are used to allow EC2 instances in a private subnet to reach the internet, without letting internet resources reach the private subnet instances. Your description above doesn't sound quite right. You could mean you have a bastion host or a VPN to your on-premise systems. I guess you could use a NAT instance in both directions, but it's not the way it's meant to be used. Typically you should use a bastion host for incoming connections.
If a connection goes via any kind of proxy then the proxy IP will be the one that the receiver sees. Properly configured proxies sometimes add the X-Forwarded-For header, which can give the IP of the original requester. I don't think either bastions or NAT instances add it, but elastic load balancers do.
I suggest you investigate what your setup is, then edit your question to clarify your configuration and the problem you're having. Once you've done that, if you comment on my answer I may be able to provide more help.
Update
Based on your updated description, I believe things are working as they should.
Thanks for your feedback Tim, i updated my question with additional info about our setup. I also put in to consideration that maybe our NAT instance is doing a translating all the incoming traffic from our remote office to use it's IP as a source.
– SpeakerPerez
Feb 7 at 2:44
I think things are working as they should. You connect to this NAT server, that NAT server connects to your instance, and the instance shows the NAT server IP.
– Tim
Feb 7 at 18:23
Hi Tim. I think i was able to find a "solution". I created a separate aws account and tried to replicate the setup, still shows the NAT server IP. And then i tried to use the older version of NAT instance AMI (version 2015.3) and it worked. Instances in my VPC are now showing the private IP of the remote users (last login from 192.168.x.x). Now i'm wondering if there's something in the newer version of NAT instance AMI configuration where i can change this kind of settings. Or perhaps we'll stick to the older version of NAT instance AMI.
– SpeakerPerez
Feb 8 at 2:19
I still think it's a bit odd. If you go via another server, the from address will change. Could even be a bug in the older AMI. But if it works for you, great, go for it.
– Tim
Feb 8 at 8:06
add a comment |
NAT instances are used to allow EC2 instances in a private subnet to reach the internet, without letting internet resources reach the private subnet instances. Your description above doesn't sound quite right. You could mean you have a bastion host or a VPN to your on-premise systems. I guess you could use a NAT instance in both directions, but it's not the way it's meant to be used. Typically you should use a bastion host for incoming connections.
If a connection goes via any kind of proxy then the proxy IP will be the one that the receiver sees. Properly configured proxies sometimes add the X-Forwarded-For header, which can give the IP of the original requester. I don't think either bastions or NAT instances add it, but elastic load balancers do.
I suggest you investigate what your setup is, then edit your question to clarify your configuration and the problem you're having. Once you've done that, if you comment on my answer I may be able to provide more help.
Update
Based on your updated description, I believe things are working as they should.
Thanks for your feedback Tim, i updated my question with additional info about our setup. I also put in to consideration that maybe our NAT instance is doing a translating all the incoming traffic from our remote office to use it's IP as a source.
– SpeakerPerez
Feb 7 at 2:44
I think things are working as they should. You connect to this NAT server, that NAT server connects to your instance, and the instance shows the NAT server IP.
– Tim
Feb 7 at 18:23
Hi Tim. I think i was able to find a "solution". I created a separate aws account and tried to replicate the setup, still shows the NAT server IP. And then i tried to use the older version of NAT instance AMI (version 2015.3) and it worked. Instances in my VPC are now showing the private IP of the remote users (last login from 192.168.x.x). Now i'm wondering if there's something in the newer version of NAT instance AMI configuration where i can change this kind of settings. Or perhaps we'll stick to the older version of NAT instance AMI.
– SpeakerPerez
Feb 8 at 2:19
I still think it's a bit odd. If you go via another server, the from address will change. Could even be a bug in the older AMI. But if it works for you, great, go for it.
– Tim
Feb 8 at 8:06
add a comment |
NAT instances are used to allow EC2 instances in a private subnet to reach the internet, without letting internet resources reach the private subnet instances. Your description above doesn't sound quite right. You could mean you have a bastion host or a VPN to your on-premise systems. I guess you could use a NAT instance in both directions, but it's not the way it's meant to be used. Typically you should use a bastion host for incoming connections.
If a connection goes via any kind of proxy then the proxy IP will be the one that the receiver sees. Properly configured proxies sometimes add the X-Forwarded-For header, which can give the IP of the original requester. I don't think either bastions or NAT instances add it, but elastic load balancers do.
I suggest you investigate what your setup is, then edit your question to clarify your configuration and the problem you're having. Once you've done that, if you comment on my answer I may be able to provide more help.
Update
Based on your updated description, I believe things are working as they should.
NAT instances are used to allow EC2 instances in a private subnet to reach the internet, without letting internet resources reach the private subnet instances. Your description above doesn't sound quite right. You could mean you have a bastion host or a VPN to your on-premise systems. I guess you could use a NAT instance in both directions, but it's not the way it's meant to be used. Typically you should use a bastion host for incoming connections.
If a connection goes via any kind of proxy then the proxy IP will be the one that the receiver sees. Properly configured proxies sometimes add the X-Forwarded-For header, which can give the IP of the original requester. I don't think either bastions or NAT instances add it, but elastic load balancers do.
I suggest you investigate what your setup is, then edit your question to clarify your configuration and the problem you're having. Once you've done that, if you comment on my answer I may be able to provide more help.
Update
Based on your updated description, I believe things are working as they should.
edited Feb 7 at 18:23
answered Feb 6 at 19:33
TimTim
39027
39027
Thanks for your feedback Tim, i updated my question with additional info about our setup. I also put in to consideration that maybe our NAT instance is doing a translating all the incoming traffic from our remote office to use it's IP as a source.
– SpeakerPerez
Feb 7 at 2:44
I think things are working as they should. You connect to this NAT server, that NAT server connects to your instance, and the instance shows the NAT server IP.
– Tim
Feb 7 at 18:23
Hi Tim. I think i was able to find a "solution". I created a separate aws account and tried to replicate the setup, still shows the NAT server IP. And then i tried to use the older version of NAT instance AMI (version 2015.3) and it worked. Instances in my VPC are now showing the private IP of the remote users (last login from 192.168.x.x). Now i'm wondering if there's something in the newer version of NAT instance AMI configuration where i can change this kind of settings. Or perhaps we'll stick to the older version of NAT instance AMI.
– SpeakerPerez
Feb 8 at 2:19
I still think it's a bit odd. If you go via another server, the from address will change. Could even be a bug in the older AMI. But if it works for you, great, go for it.
– Tim
Feb 8 at 8:06
add a comment |
Thanks for your feedback Tim, i updated my question with additional info about our setup. I also put in to consideration that maybe our NAT instance is doing a translating all the incoming traffic from our remote office to use it's IP as a source.
– SpeakerPerez
Feb 7 at 2:44
I think things are working as they should. You connect to this NAT server, that NAT server connects to your instance, and the instance shows the NAT server IP.
– Tim
Feb 7 at 18:23
Hi Tim. I think i was able to find a "solution". I created a separate aws account and tried to replicate the setup, still shows the NAT server IP. And then i tried to use the older version of NAT instance AMI (version 2015.3) and it worked. Instances in my VPC are now showing the private IP of the remote users (last login from 192.168.x.x). Now i'm wondering if there's something in the newer version of NAT instance AMI configuration where i can change this kind of settings. Or perhaps we'll stick to the older version of NAT instance AMI.
– SpeakerPerez
Feb 8 at 2:19
I still think it's a bit odd. If you go via another server, the from address will change. Could even be a bug in the older AMI. But if it works for you, great, go for it.
– Tim
Feb 8 at 8:06
Thanks for your feedback Tim, i updated my question with additional info about our setup. I also put in to consideration that maybe our NAT instance is doing a translating all the incoming traffic from our remote office to use it's IP as a source.
– SpeakerPerez
Feb 7 at 2:44
Thanks for your feedback Tim, i updated my question with additional info about our setup. I also put in to consideration that maybe our NAT instance is doing a translating all the incoming traffic from our remote office to use it's IP as a source.
– SpeakerPerez
Feb 7 at 2:44
I think things are working as they should. You connect to this NAT server, that NAT server connects to your instance, and the instance shows the NAT server IP.
– Tim
Feb 7 at 18:23
I think things are working as they should. You connect to this NAT server, that NAT server connects to your instance, and the instance shows the NAT server IP.
– Tim
Feb 7 at 18:23
Hi Tim. I think i was able to find a "solution". I created a separate aws account and tried to replicate the setup, still shows the NAT server IP. And then i tried to use the older version of NAT instance AMI (version 2015.3) and it worked. Instances in my VPC are now showing the private IP of the remote users (last login from 192.168.x.x). Now i'm wondering if there's something in the newer version of NAT instance AMI configuration where i can change this kind of settings. Or perhaps we'll stick to the older version of NAT instance AMI.
– SpeakerPerez
Feb 8 at 2:19
Hi Tim. I think i was able to find a "solution". I created a separate aws account and tried to replicate the setup, still shows the NAT server IP. And then i tried to use the older version of NAT instance AMI (version 2015.3) and it worked. Instances in my VPC are now showing the private IP of the remote users (last login from 192.168.x.x). Now i'm wondering if there's something in the newer version of NAT instance AMI configuration where i can change this kind of settings. Or perhaps we'll stick to the older version of NAT instance AMI.
– SpeakerPerez
Feb 8 at 2:19
I still think it's a bit odd. If you go via another server, the from address will change. Could even be a bug in the older AMI. But if it works for you, great, go for it.
– Tim
Feb 8 at 8:06
I still think it's a bit odd. If you go via another server, the from address will change. Could even be a bug in the older AMI. But if it works for you, great, go for it.
– Tim
Feb 8 at 8:06
add a comment |
Ok i think i found another way to modify the newer version of NAT instance AMI. Something like IP masquerading/post-routing is changing the source IP whenever I connect to my other instances via tunnel. So I compared the iptables of older and newer version of NAT instance AMI and i found this
version amzn-ami-vpc-nat-hvm-2015.03.0.x86_64-ebs - ami-1a9dac48
[root@nat-instance ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 23 packets, 1315 bytes)
num pkts bytes target prot opt in out source destination
1 3745 225 MASQUERADE all -- * eth0 (public subnet /16) 0.0.0.0/0
version amzn-ami-vpc-nat-hvm-2018.03.0.20181116-x86_64-ebs - ami-01514bb1776d5c018
[root@another-nat ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 216 14157 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
so what I did was, I added another rule and deleted the current one. Perhaps it will work and it did.
#iptables -t nat -A POSTROUTING -o eth0 -s 172.20.0.0/16 -j MASQUERADE //adding
#iptables -t nat -D POSTROUTING 1 //deleting the previous one
#iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes)
num pkts bytes target prot opt in out source destination
1 2 168 MASQUERADE all -- * eth0 172.20.0.0/16 0.0.0.0/0
Sample results. Accessing both instances with their private IP, from office network
instance in public subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
instance in private subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
yep, pretty much it achieved my goal and i don't have to change my NAT instance version entirely.
add a comment |
Ok i think i found another way to modify the newer version of NAT instance AMI. Something like IP masquerading/post-routing is changing the source IP whenever I connect to my other instances via tunnel. So I compared the iptables of older and newer version of NAT instance AMI and i found this
version amzn-ami-vpc-nat-hvm-2015.03.0.x86_64-ebs - ami-1a9dac48
[root@nat-instance ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 23 packets, 1315 bytes)
num pkts bytes target prot opt in out source destination
1 3745 225 MASQUERADE all -- * eth0 (public subnet /16) 0.0.0.0/0
version amzn-ami-vpc-nat-hvm-2018.03.0.20181116-x86_64-ebs - ami-01514bb1776d5c018
[root@another-nat ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 216 14157 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
so what I did was, I added another rule and deleted the current one. Perhaps it will work and it did.
#iptables -t nat -A POSTROUTING -o eth0 -s 172.20.0.0/16 -j MASQUERADE //adding
#iptables -t nat -D POSTROUTING 1 //deleting the previous one
#iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes)
num pkts bytes target prot opt in out source destination
1 2 168 MASQUERADE all -- * eth0 172.20.0.0/16 0.0.0.0/0
Sample results. Accessing both instances with their private IP, from office network
instance in public subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
instance in private subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
yep, pretty much it achieved my goal and i don't have to change my NAT instance version entirely.
add a comment |
Ok i think i found another way to modify the newer version of NAT instance AMI. Something like IP masquerading/post-routing is changing the source IP whenever I connect to my other instances via tunnel. So I compared the iptables of older and newer version of NAT instance AMI and i found this
version amzn-ami-vpc-nat-hvm-2015.03.0.x86_64-ebs - ami-1a9dac48
[root@nat-instance ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 23 packets, 1315 bytes)
num pkts bytes target prot opt in out source destination
1 3745 225 MASQUERADE all -- * eth0 (public subnet /16) 0.0.0.0/0
version amzn-ami-vpc-nat-hvm-2018.03.0.20181116-x86_64-ebs - ami-01514bb1776d5c018
[root@another-nat ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 216 14157 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
so what I did was, I added another rule and deleted the current one. Perhaps it will work and it did.
#iptables -t nat -A POSTROUTING -o eth0 -s 172.20.0.0/16 -j MASQUERADE //adding
#iptables -t nat -D POSTROUTING 1 //deleting the previous one
#iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes)
num pkts bytes target prot opt in out source destination
1 2 168 MASQUERADE all -- * eth0 172.20.0.0/16 0.0.0.0/0
Sample results. Accessing both instances with their private IP, from office network
instance in public subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
instance in private subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
yep, pretty much it achieved my goal and i don't have to change my NAT instance version entirely.
Ok i think i found another way to modify the newer version of NAT instance AMI. Something like IP masquerading/post-routing is changing the source IP whenever I connect to my other instances via tunnel. So I compared the iptables of older and newer version of NAT instance AMI and i found this
version amzn-ami-vpc-nat-hvm-2015.03.0.x86_64-ebs - ami-1a9dac48
[root@nat-instance ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 23 packets, 1315 bytes)
num pkts bytes target prot opt in out source destination
1 3745 225 MASQUERADE all -- * eth0 (public subnet /16) 0.0.0.0/0
version amzn-ami-vpc-nat-hvm-2018.03.0.20181116-x86_64-ebs - ami-01514bb1776d5c018
[root@another-nat ec2-user]# iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 216 14157 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
so what I did was, I added another rule and deleted the current one. Perhaps it will work and it did.
#iptables -t nat -A POSTROUTING -o eth0 -s 172.20.0.0/16 -j MASQUERADE //adding
#iptables -t nat -D POSTROUTING 1 //deleting the previous one
#iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes)
num pkts bytes target prot opt in out source destination
1 2 168 MASQUERADE all -- * eth0 172.20.0.0/16 0.0.0.0/0
Sample results. Accessing both instances with their private IP, from office network
instance in public subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
instance in private subnet
login as: ec2-user
Last login: from 192.168.1.123
# w
USER TTY FROM
ec2-user pts/0 192.168.1.123
yep, pretty much it achieved my goal and i don't have to change my NAT instance version entirely.
edited Feb 8 at 7:31
answered Feb 8 at 6:53
SpeakerPerezSpeakerPerez
12
12
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1400395%2flogin-to-ec2-shows-the-ip-of-my-nat-instance-instead-of-my-private-ip%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown