After spending the last week bashing my head against a desk trying to locate the various settings and “gotchas” of AWS for network address translation and IP forwarding from within a VPC, I’ve finally written down concise enough notes to publish something here so I never have to remember how to do it again.
The resources required in AWS to setup a self-contained network for a bunch of compute nodes will have a:
- Internet Gateway
- Security Group
The VPC will need a route directing traffic to 0.0.0.0/0 via the Internet Gateway, set in the associated Routing Table.
The Security Group will need at least the following rules:
- Allowing of all local traffic on the subnet
- External SSH access to the gateway node (it’s recommended to limit this only to the IP you will be accessing from, to negate possibility of SSH attacks)
In AWS, the gateway node’s network interface will need the setting Source/Destination Check set to disabled (this was the bugger that escaped my configuration and lead to many head-meet-desk moments).
On the node itself, the following will need to be done
- Enable IP forwarding (as root)
# Enable IP forwarding on the fly echo 1 > /proc/sys/net/ipv4/ip_forward # Permanently enable ip forwarding echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf
- Configure masquerade in firewall rules (replacing INTERNAL_SUBNET/NETMASK and ZONE_OF_INTERFACE with the correct information – in my case I used
10.0.0.0/255.255.0.0for the subnet/netmask and
publicfor my firewall zone)
firewall-cmd --add-rich-rule='rule family="ipv4" source address="SUBNET/NETMASK" masquerade' --zone ZONE_OF_INTERFACE --permanent firewall-cmd --reload
The client node does not require any special wizardry in AWS. As long as it is in the same VPC & subnet as the gateway node, then it should be able to use it to get to the internet.
The only change is to the network interface via the CLI on the node, ensuring that the following are present in
IP_OF_NODE_WITH_PUB_IP to the internal network IP of the gateway node, in my case, this was
NM_CONTROLLED=no GATEWAY=IP_OF_NODE_WITH_PUB_IP PEERDNS=yes PEERROUTES=no ZONE=trusted
The above will prevent Network Manager from messing with the interface, set the gateway to our configured gateway, propagate DNS settings from the network, prevent routes coming in from peers and set the firewall zone for the interface to trusted.