Connectivity issues with dual NIC machine in EC2
- by Matt Sieker
I'm trying to get some servers set up in EC2 in a Virtual Private Cloud. To do this, I have two subnets:
10.0.42.0/24 - Public subnet
10.0.83.0/24 - Private subnet
To bridge these two, I have a Funtoo instance with a pair of NICs:
eth0 10.0.42.10
eth1 10.0.83.10
Which has the following routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.83.0 * 255.255.255.0 U 0 0 0 eth1
10.0.83.0 * 255.255.255.0 U 203 0 0 eth1
10.0.42.0 * 255.255.255.0 U 202 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 10.0.42.1 0.0.0.0 UG 0 0 0 eth0
default 10.0.42.1 0.0.0.0 UG 202 0 0 eth0
An elastic IP is attached to the eth0 interface, and I can connect to it fine remotely. However, I cannot ping anything in the 10.0.83.0 subnet.
For now iptables is not set up on the box, so there's no rules that would get in the way (Eventually this will be managed by Shorewall, but I should get basic connectivity done first)
Subnet details from the VPC interface:
CIDR: 10.0.83.0/24
Destination Target
10.0.0.0/16 local
0.0.0.0/0 [ID of eth1 on NAT box]
Network ACL: Default
Inbound:
Rule # Port (Service) Protocol Source Allow/Deny
100 ALL ALL 0.0.0.0/0 ALLOW
* ALL ALL 0.0.0.0/0 DENY
Outbound:
Rule # Port (Service) Protocol Destination Allow/Deny
100 ALL ALL 0.0.0.0/0 ALLOW
* ALL ALL 0.0.0.0/0 DENY
CIDR: 10.0.83.0/24 VPC:
Destination Target
10.0.0.0/16 local
0.0.0.0/0 [Internet Gateway ID]
Network ACL: Default (replace)
Inbound:
Rule # Port (Service) Protocol Source Allow/Deny
100 ALL ALL 0.0.0.0/0 ALLOW
* ALL ALL 0.0.0.0/0 DENY
Outbound:
Rule # Port (Service) Protocol Destination Allow/Deny
100 ALL ALL 0.0.0.0/0 ALLOW
* ALL ALL 0.0.0.0/0 DENY
I've been trying to work this out most of the evening, but I'm just stuck. I'm either missing something obvious, or am doing something very wrong. I would think I'd be able to ping from either interface on this box without issue.
Hopefully some more pairs of eyes on this configuration will help.
EDIT:
I am an idiot. After I bothered to install nmap to run some more tests, I discover I can see the ports, and connect to them, pings are just being blocked.