aws iptables nat works on eth0 but not on eth1

I have a very simple setup: two t2.micro instances, one with eth0, and the other with eth0 and eth1, both in the same VPC with a 10.0.0.0/24 subnet in 10.0.0.0/16.

All I’m trying to do is have traffic from the internet routed through one t2 into the other, and return.

Here is the test setup, followed by what works, then by what does not work. I need to make the second scenario work, and can’t figure out how.

/proc/sys/net/ipv4/ip_forward = 1

t2-A: eth0 private IP 10.0.0.120 EIP a0.b0.c0.d0 eth1 private IP 10.0.0.16 EIP a1.b1.c1.d1

t2-B: eth0 private IP 10.0.0.113

I can ping a0.b0.c0.d0, the pings come in to 10.0.0.120, are NATed and routed to 10.0.0.113, and the ping replies come back out a0.b0.c0.d0 to me.

All it takes is these two rules: iptables -t nat -I PREROUTING -i eth0 -p icmp -j DNAT –to 10.0.0.113 iptables -t nat -I POSTROUTING -o eth0 -p icmp -j MASQUERADE

But if I try to do the same thing through eth1, I can’t get it to work:

iptables -t nat -I PREROUTING -i eth1 -p icmp -j DNAT –to 10.0.0.113 iptables -t nat -I POSTROUTING -o eth1 -p icmp -j MASQUERADE

Ping a1.b1.c1.d1 does not work. I can see the pings hitting 10.0.0.16, and nothing else happens after that. The pings never show up on 10.0.0.113 or any other interface, so of course ping replies are not sent.

When I first ran into this, I opened an aws support ticket, and they suggested it was an asymmetrical routing issue, and told me to do the following, something about policy-based routing:

ip route add default via 10.0.0.1 dev eth0 table 1 ip route add default via 10.0.0.1 dev eth1 table 2 ip rule add from 10.0.0.120/32 table 1 priority 500 ip rule add from 10.0.0.16/32 table 2 priority 600

I did that, but it had no effect at all on the problem.

Do you have any ideas?

Can’t ping eth1 via eth0

I have two virtual machines with CentOS 7 installed. Each VM has two NICs and two IP addresses.

ip configuration of VM1:

eth0: 172.255.255.5/30 eth1: 10.11.111.254/21 

route of VM1:

10.11.104.0/21 dev eth1 proto kernel scope link src 10.111.111.254 metric 101 172.255.255.4/30 dev eth0 proto kernel scope link src 172.255.255.5 metric 100 

ip configuration of VM2:

eth0: 172.255.255.6/30 eth1: 10.10.1.210/24 

route of VM2:

10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.210 metric 101 172.255.255.4/30 dev eth0 proto kernel scope link src 172.255.255.6 metric 100 

I can ping from VM1(172.255.255.5,10.11.111.254) to 172.255.255.6 and can ping from VM2(172.255.255.6, 10.10.1.210) to 172.255.255.5.

The problem is, I want to ping from VM1(172.255.255.5,10.11.111.254) to 10.10.1.210, so I add a route in VM1

ip route 10.10.1.210 via 172.255.255.6 

so the route of VM1 is:

10.10.1.210 via 172.255.255.6 dev eth0 10.11.104.0/21 dev eth1 proto kernel scope link src 10.111.111.254 metric 101 172.255.255.4/30 dev eth0 proto kernel scope link src 172.255.255.5 metric 100 

But I still can’t ping from VM1 to 10.10.1.210.

So, where am I wrong?

By the way, I have disabled SELinux and firewalld on all my machines.

Using AWS, How to connect two EC2 instasnces using the eth1 interface on both instances?

I have 2 EC2 instances running Ubuntu 18.04. I’ve attached an additional network interface “eth1” to each instance. Now each instance has 2 interfaces( eth0, eth1). where eth0 is the default gateway. What I’m trying to do is to attach eth1 from instance 1 to eth1 from instance 2.