Im trying to get a very simple setup to work,
I have 2 AWS ec2 instances (blue),
instance B has a Ipsec VPN into our datacenter and can ping internal IPs of this datacenter, ie server C (192.168.40.21)
I need ec2 A instance to be able to ping and connect to server C by using B as a hop. Both A and B are on same subnet. I tried adding B's IP as a gateway on A,
root@A> ip route add 192.168.40.0/24 via 172.25.25.200
and also setup firewall rules on B to forward traffic (sysctl ip4 forwarding = 1),
root@B>
iptables -A FORWARD -s 0/0 -d 172.25.25.0/24 -j ACCEPT
iptables -A FORWARD -s 172.25.25.0/24 -d 0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -d 0/0 -s 172.25.25.0/24 -j MASQUERADE
But I cannot ping C from A. What am I missing?
All hosts are Centos 7.
Thank you.
EC2 instances by default have source/destination checking enabled on their network interfaces which means they won't work as routers until you disable it. See https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
Usually
iptableshave standard rule for block forwarding traffic. You should remove it to allow traffic pass.You should remove rule:
Are your instances allowed to communicate on intended ports inside subnet explicitly using Security Groups?
As I did this assumption myself I must suspect this, ec2 instances within the same subnet/SecurityGroup are not able to communicate out of the box without adding the necessary rules as pointed here: https://forums.aws.amazon.com/thread.jspa?threadID=77771
If you've already carefully added the appropriate rules, then maybe you can try looking at the flow of packets using
tcpdumpand filtering on appropriate interface?I ended up using a GRE tunnel to route all traffic via server B
the tunnel is between A and B, on A I also add a route to route all traffic for C via GRE tunnel
so it works like this, A > gre tun > B > ipsec vpn tun > C
** note, see comment above about source/dest check on EC2 instances.