1

Dear networking experts

I have an Ubuntu 18.04 instance in a cloud (say A), that is assigned a public ip address an can be logged in from internet, however its only network interface is private:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether d0:0d:5d:03:3c:17 brd ff:ff:ff:ff:ff:ff inet 10.0.1.17/24 brd 10.0.1.255 scope global eth0

I understand that the cloud provider is doing the NAT for me.

Now I have another VM, say B, without such NAT in the same private subnet, and B can't be accessed from internet, neither can B reach public servers.

Now, I would like to use A as a NAT or router to access internet from B. I assume that if I can reach internet from A, then I can somehow set it up to forward traffic from B.

However traditional NAT recipes for A (such as in man ufw-framework) don't seem to work for me, since I guess they assume that A should have a real public IP on an interface.

So, the question is - is it possible to provide B with internet via A in the setup I described?

Thanks in advance!

Improve this question

1 Answer 1

Reset to default
2

Surely you can do another NAT in addition to what your provider does.

ufw is just a netfiter script generator. If it isn't able to do its work, throw it away, it only obscures things.

To do NAT, you only need a single rule in the firewall:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That's it. This system now will masquerade (NAT) a traffic for any other system, even if traffic subjected to translation comes from eth0. You will need to specify its IP address as a gateway on all other systems.

If you go this route, you also need to manually enable ip forwarding (net.ipv4.ip_forward=1 in /etc/sysctl.conf), disable redirects on all systems (see ..._redirects in /etc/sysctl.conf) and enable rules saving/autoloading (with netfilter-persistent and iptables-persistent packages).

Also, beware of security! If this network also holds machines not under your control, you must filter them in the filter table, FORWARD chain (just permit forward for your machines and disable it for everything else with the policy). Also you can control (filter) access to this NATing machine in the INPUT chain.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.