Why I Can't make SNAT using IPTables in EC2?


I've made a SNAT translation in my EC2 to receive traffic destinated to, and translate the source IP to, in TCP Dump, I see the translation happening, the original IP of my instance is IPTables command for SNAT that I used: sudo iptables -t nat -A POSTROUTING -p tcp -d -j SNAT --to-source TCP Dump to analyse: sudo tcpdump src net But in the flow logs in my ENI, the source address doesn't appear, just the original one( I've took kernel IP Forward on. TCP Dump seems to change the source IP to the wished( The Cloudwatch query to see the IPs doesn't capture the tranlated packets The IPTables Rule The Change Source / destination check are disabled marked as stop.

  • What’s What’s the private ip of the ec2? What’s the ENI ip address

  • I’m struggling a little to understand your question a little. What’s missing? What behaviour do you expect? Thanks. Sorry.

  • is the private IP of my NAT instance. The NAT instance is configured to change the source IP address of packets with destination, to In my TCP Dump above, I see the source address being changed to, but, in cloudwatch I just see the original IP of my NAT instance, not being tranlated. I need this rule to change the source address to in case the network's destination matches with

2 Answers

What happens on the EC2 with iptables will not be seen in the flow flogs. The flow logs will always show the original packet before any manipulation on the EC2.

Again I maybe missing something in your question but this is my understanding of what your expecting to see.

profile picture
answered 8 months ago
  • Ok, but, my VPN allows the AWS side to communicate over the VPN, but why the packets changed from source to are not being able to traversing the VPN?

  • Whats the CIDR block on the Subnet that your EC2 is on? What routes do you have on your Subnet to send traffic over the VPN?

  • My EC2 is on I have a route in this subnet to through VGW. I expect the packets with the source IP changed to, go out to the VPN through the route. Because the customer that I have connected with the VPN only allows the IP to communicate inside it's network, but I'm not being able to thanslate the source IP of to

  • I have the following output in my tcpdump: IP > Flags [S], seq 2208114893, win 62727, options [mss 8961,sackOK,TS val 2497077807 ecr 0,nop,wscale 7], length 0 The source IP are being changed to, but the route table doesn't route to my NGW. Does AWS Network support SNAT?


Looking at your screenshot and information the 3 way tcp hand shake is failing. All I see is syn.

I would check the routes on the vpn and also your customer/client has a route back to the vpn

profile picture
answered 7 months ago
  • Yes, the connections is failing because the SNAT is not working, my client made a route just to receive connections from, as my NAT instance has the private IP, and not SNATing to, not even my traffic go out from my VPC, because my VPN side just allows to go out. My NAT instance with a SNAT rule has a crucial work to make this communication happen.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions