Ethernet Cable Connected To A Compartment Port by Brett Sayles on Pexels

After spending the last week bashing my head against a desk trying to locate the various settings and "gotchas" of AWS for network address translation and IP forwarding from within a VPC, I've finally written down concise enough notes to publish something here so I never have to remember how to do it again.

AWS Link to heading

The resources required in AWS to setup a self-contained network for a bunch of compute nodes will have a:

  • VPC
  • Subnet
  • Internet Gateway
  • Security Group

The VPC will need a route directing traffic to 0.0.0.0/0 via the Internet Gateway, set in the associated Routing Table.

The Security Group will need at least the following rules:

  • Allowing of all local traffic on the subnet
  • External SSH access to the gateway node (it's recommended to limit this only to the IP you will be accessing from, to negate possibility of SSH attacks)

Gateway Node Link to heading

In AWS, the gateway node's network interface will need the setting Source/Destination Check set to disabled (this was the bugger that escaped my configuration and lead to many head-meet-desk moments).

On the node itself, the following will need to be done

  • Enable IP forwarding (as root)
# Enable IP forwarding on the fly
echo 1 > /proc/sys/net/ipv4/ip_forward

# Permanently enable ip forwarding
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf
  • Configure masquerade in firewall rules (replacing INTERNAL_SUBNET/NETMASK and ZONE_OF_INTERFACE with the correct information - in my case I used 10.0.0.0/255.255.0.0 for the subnet/netmask and public for my firewall zone)
firewall-cmd --add-rich-rule='rule family="ipv4" source address="**SUBNET/NETMASK**" masquerade' --zone **ZONE_OF_INTERFACE** --permanent
firewall-cmd --reload

Client Node Link to heading

The client node does not require any special wizardry in AWS. As long as it is in the same VPC & subnet as the gateway node, then it should be able to use it to get to the internet.

The only change is to the network interface via the CLI on the node, ensuring that the following are present in /etc/sysconfig/network-scripts/ifcfg-eth0: (replacing IP_OF_NODE_WITH_PUB_IP to the internal network IP of the gateway node, in my case, this was 10.0.0.11)

NM_CONTROLLED=no
GATEWAY=**IP_OF_NODE_WITH_PUB_IP**
PEERDNS=yes
PEERROUTES=no
ZONE=trusted

The above will prevent Network Manager from messing with the interface, set the gateway to our configured gateway, propagate DNS settings from the network, prevent routes coming in from peers and set the firewall zone for the interface to trusted.