Short question:
I'm trying to configure my own NAT instance on AWS, starting with a standard AWS Linux 2 instance, and it seems the new "right" way to configure things is with firewalld instead of iptables, so I'm looking for the equivalent to the answer to this question, but with firewalld.
Longer description:
I'm 99% sure I have my VPC, subnets, and routing tables configured correctly. On the ec2 instance, I've enabled IP4 forwarding, disabled ICMP forwarding, and disabled source/destination check.
I believe the only step I'm missing is that the old, community NAT Instance AMIs run a script on startup that does this:
(iptables -t nat -C POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE 2> /dev/null ||
iptables -t nat -A POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE ) ||
die
Based on this how-to, I'm attempting to replicate the same functionality with firewalld, and I've done
firewall-cmd --zone=internal --add-source=10.0.4.0/22
firewall-cmd --zone=external --add-interface=eth0
firewall-cmd --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.4.0/22
I've also attempted to allow ping
for testing purposes, with
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
I can successfully ssh to the NAT Instance, I can ping the outside world from it, and I can ping it from the private subnet, but I can't ping the outside world from the private subnet. I suspect there's something wrong with my understanding of firewalld works when there's only one PHY (eth0), but ... I'm stuck. So,
a) is my base assumption that I should be using firewalld instead of iptables correct? b) if so, how do I get NAT working with it on a single interface?
Thanks!
On EC2 you need, besides proper iptable/nftable setup, to make sure that source destination checks are disabled on EC2 level.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck