Hi,
To laugh back on me Amazon has made all proper arrangements and this is what they say
If you have ever bumped into this situation where a good chap VPC from Amazon is at your help and as per expectation NAT machine in Public subnet is not able to route traffic (even if all the security group and NAT rules are in place) and worst, no one has posted anything on this.. then you are at my situation :)
What i have done seems all correct. Am able to ssh in NAT and also able to log into destination instances(ssh-ing them from NAT), NAT rules even though all look good syntacticly and as per the requirement, is not working at all.
So what i have done wrong? Here is the answer
Was trying to make a typical Scenario 1 VPC on amazon and with the help of NAT machine was trying to forward traffic on other two instances (available in public subnet itself) so that can save myself on buying EIPs for instances created (Trying to be [over]smart).
To laugh back on me Amazon has made all proper arrangements and this is what they say
We use the term NAT instance; however, the primary role of a NAT instance is actually port address translation (PAT). We chose to use the more widely known term, NAT. For more information about NAT and PAT, see the Wikipedia article about network address translation.The main route table sends the traffic from the instances in the private subnet to the NAT instance in the public subnet. The NAT instance sends the traffic to the Internet gateway for the VPC. The traffic is attributed to the Elastic IP address of the NAT instance. The NAT instance specifies a high port number for the response; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.
So in a nutshell a NAT machine(in Amazon VPC) can work (of routing traffic) as per expectation if only the instances its connecting-to, is in private subnet and not in public subnet.
If it helped you anywhere am glad (am not the only one)