I have a very simple configuration: two instances t2.micro, one with eth0 and the other with eth0 and eth1, both in the same VPC with a subnet 10.0.0.0/24 in 10.0.0.0 / 16.
All I try to do is that the traffic coming from the Internet is routed through a t2 in the other and that it returns.
Here is the test setup, followed by what works, then what does not work. I have to run the second scenario and I can not understand how.
/ proc / sys / net / ipv4 / ip_forward = 1
t2-A: eth0 Private IP 10.0.0.120 EIP a0.b0.c0.d0
eth1 private IP 10.0.0.16 EIP a1.b1.c1.d1
t2-B: eth0 private IP 10.0.0.113
I can ping a0.b0.c0.d0, the pings arrive at 10.0.0.120, are NATed and routed to 10.0.0.113, and ping responses are returned to me a0.b0.c0.d0.
Just these two rules:
iptables -t nat -I PREROUTING -i eth0 -p icmp -d DNAT -to 10.0.0.113
iptables -t nat -I POSTROUTING -o eth0 -p icmp -j MASQUERADE
But if I try to do the same thing with eth1, I can not make it work:
iptables -t nat -I PREROUTING -i eth1 -p icmp -d DNAT -to 10.0.0.113
iptables -t nat -I POSTROUTING -o eth1 -p icmp -j MASQUERADE
Ping a1.b1.c1.d1 does not work. I can see the pings reach 10.0.0.16, and nothing else happens after that. The pings never appear on 10.0.0.113 or on any other interface. It is obvious that the ping responses are not sent.
When I first encountered this problem, I opened an aws support ticket and they suggested that it was an asymmetric routing problem. They also recommended me to do the following: something about rule-based routing:
ip route add default via 10.0.0.1 dev eth0 table 1
ip route add default via 10.0.0.1 dev eth1 table 2
ip rule add since 10.0.0.120/32 table 1 priority 500
ip rule add since 10.0.0.16/32 table 2 priority 600
I did it, but that had no effect on the problem.
Do you have any ideas?