IPtables: Forward port to another host is not working

Question

I am trying out something so this is my test setup:

Setup:

• I have AWS VPC with a public and private subnet.
• I have a host in public subnet with a public IP address (say Host A)
• I have a host in private subnet running nginx on port 80 (Say host B with IP address 10.0.1.132 )

What I want to do

I want to access the Webserver on Host B from Internet by visiting Host A.

How

I setup IP forwarding parameter in systctl.conf on host A and then put below iptables rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.132:80

Issue:

It is not working and I am not able to open the WebPage when I visit host A on port 80

Other info (with respect to AWS VPC Security Group):

• I have port 80 incoming access on host A from 0.0.0.0/0
• I have port 80 outgoing access on host A to 10.0.1.0/24
• I have incoming port 80 access on host B from host A

Here is the kernel info:

# sysctl  -p | grep forward
net.ipv4.ip_forward = 1

Also, I am able to telnet on port 80 from Host A to host B on port 80. So this certifies that my AWS security group is working as expected.

I think I am going wrong on IPtables part. Could help me figure out what is wrong in above setup.

Answer 1

Do you realize that private host should …

• … have default route pointing back to the router?
• … be SNATed so that its replies would go back?

Answer 2

I think I am going wrong on IPtables part. Could help me figure out what is wrong in above setup.

Correct, The traffic will be getting through the Amazon Security Group, but then getting blocked by IPTables. You need a forward rule that will accept the NAT'd traffic:

iptables -A FORWARD -p tcp -m tcp -d 10.0.1.132:80 -j ACCEPT

Note that -A may not be correct, you might need to -I (insert) then provide a number after "FORWARD" which represents where in your FORWARD chain you want to insert the rule. (ie before any DROPs) You can list your FORWARD chain with

iptables -L FORWARD -n --line-numbers