1

I'm just starting with AWS, and have 2 ec2 instances running on a VPC, one with a public and private IP, one with only a private IP.

I can SSH to both (using my key) if I attach an external IP to them.

I can SSH from server 1 to server 2 (if I copy the pem key onto server 1)

Server 2 I want to be private IP only, and server 1 has a public IP and NAT to server 2. I am trying to follow the tutorial here aws shows the private address of server 2 to be 10.0.0.18 (server 1 is 10.0.0.63)

On server 1 I have added..

sudo iptables -t nat -A PREROUTING -p tcp --dport 10235 -j DNAT --to-destination 10.0.0.18:22

if I look at the tables, I can see...

1 DNAT tcp -- anywhere anywhere tcp dpt:10235 to:10.0.0.18:22

And if I look at packets for iptables...

iptables -L -v -t nat Chain PREROUTING (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination 10 600 DNAT tcp -- any any anywhere anywhere tcp dpt:10235 to:10.0.0.18:22

I am trying to connect with...

ssh -i mykeyfile.pem -p 10235 user@<server1domain>

Whenever I try, I can see the packets increase on server 1, but I never get any response. I have allowed port 10234&5 & 22 on the security group.

Security group shows as..

 Custom TCP Rule TCP 10234 - 10240 0.0.0.0/0

ssh -vvv doesn't provide anything useful, as its just hanging saying 'connecting to myhost port 10235.

As mentioned, if I associate a public IP and connect to that, all works, but I can't seem to get it working via NAT ?

Improve this question
4
  • Did you disable source/dest checking on your NAT instance? Commented Oct 20, 2015 at 14:34
  • Do you mean in the security group (or is there somewhere I'm not aware of on the box itself)? Ie in the security group I've set it to have source 0.0.0.0/0 I have added that display into the question as well. Commented Oct 20, 2015 at 14:52
  • 1
    No, this is a setting on the instance itself. Look through the Actions menu in the console. Commented Oct 20, 2015 at 15:15
  • Thanks, I hadn't spotted that. I have disabled it on both for the moment whilst testing and its still the same though. Just to clarify though, I'm not using a specific NAT instance, just a regular front end server with a public IP. Commented Oct 20, 2015 at 15:18

1 Answer 1

Reset to default
0

If you are trying to connect from outside the VPC to the instance with only a a private IP, this will fail. You will want to setup your instance with the public ip to also be a VPN (try OpenVPN AS) and then allow ssh access that way.

If you are trying to SSH from server 2 (private IP only) to server 1 (public/private) then you may need to also add a route table or security group as well as making sure the VPC can handle NAT/PAT traffic:

NAT/PAT Script

And set it up to run (ubuntu):

sed -i '$ i '"/usr/local/sbin/configure-pat.sh"'' /etc/rc.local'
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.