AWS VPC + IPtables + NAT: Port Forwarding is not working

Finally, I Cracked it !!!!

On the NAT instance, I had to change below command:

From:

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/16 -j MASQUERADE

To:

iptables -t nat -A POSTROUTING -j MASQUERADE

And it WORKED!!!!

So, I will be creating a new question soon on ServerFault asking what are the advantages and disadvantages in using above two commands.


  • Make sure that you are allowing tcp port 2222 inboud from 0.0.0.0/0 on the security group for your nat box
  • Make sure you have your VPC "Route Table" setup properly.
  • At least two separate tables (one associated with the private subnet, one associated with the public subnet)
  • Your 10.0.1.0 (private) subnet should have a route table rule like: Destination: 0.0.0.0/0, Target: "Nat box"
  • Your 10.0.0.0 (public) subnet should have a route table rule like: Destination: 0.0.0.0/0, Target: "Internet gateway"
  • Make sure you have Source/destination checking disabled on the NIC for your NAT box, no NATting fun without it. (I know you already have this but its really important, so including it for some future viewer)

  • Make sure outbound packets know where to go:

    iptables --table nat --append POSTROUTING --source 10.0.0.0/16 --destination 0.0.0.0/0 --jump MASQUERADE

  • Make sure inboud packets to 2222 get rerouted properly:

    iptables --table nat --append PREROUTING --protocol tcp --dport 2222 --jump DNAT --to-destination 10.0.1.243:22


This posts helped me a lot in understanding AWS NAT. So I started to investigate what made iptables -t nat -A POSTROUTING -j MASQUERADE it worked.

Well the answer I found the above statement is allowing the NAT box to source NAT the 'LAPTOP' IP to '10.0.0.54' while same time performing destination NAT to 10.0.1.243. At this time the private subnet box is ssh request coming from NAT device only. This command is actually decreasing the security of the private subnet server. It is recommended to use the below command to fine tune the private subnet access through ssh and NAT box as mentioned below;

iptables --table nat --append POSTROUTING --source "INTERNET IP of the Laptop" --destination 10.0.1.243 --jump MASQUERADE