diff --git a/main.tf b/main.tf
index 9b00d8a..0a8eadd 100644
--- a/main.tf
+++ b/main.tf
@@ -194,7 +194,9 @@ resource "aws_iam_role_policy" "eni" {
         {
             "Effect": "Allow",
             "Action": [
-                "ec2:AttachNetworkInterface"
+                "ec2:AttachNetworkInterface",
+                "ec2:ModifyNetworkInterfaceAttribute",
+                "ec2:DescribeInstances"
             ],
             "Resource": "*"
         }
diff --git a/runonce.sh b/runonce.sh
index 3a0e01c..2803d9c 100644
--- a/runonce.sh
+++ b/runonce.sh
@@ -1,12 +1,25 @@
 #!/bin/bash -x
 
+sudo yum install -y jq
+
+INSTANCE_ID="$(/opt/aws/bin/ec2-metadata -i | cut -d' ' -f2)"
+REGION="$(/opt/aws/bin/ec2-metadata -z  | sed 's/placement: \(.*\).$/\1/')"
+
 # attach the ENI
 aws ec2 attach-network-interface \
-  --region "$(/opt/aws/bin/ec2-metadata -z  | sed 's/placement: \(.*\).$/\1/')" \
-  --instance-id "$(/opt/aws/bin/ec2-metadata -i | cut -d' ' -f2)" \
+  --region "$REGION" \
+  --instance-id "$INSTANCE_ID" \
   --device-index 1 \
   --network-interface-id "${eni_id}"
 
+# Disable source/destination checks
+for i in $(aws ec2 describe-instances --region "$REGION" --filter '[{"Name": "instance-id", "Values": ["'$INSTANCE_ID'"]}]' | jq -r .Reservations[0].Instances[0].NetworkInterfaces[].NetworkInterfaceId); do
+  aws ec2 modify-network-interface-attribute \
+    --region "$REGION" \
+    --network-interface-id "$i" \
+    --no-source-dest-check
+done
+
 # start SNAT
 systemctl enable snat
 systemctl start snat
diff --git a/snat.sh b/snat.sh
index b026a0d..86333de 100644
--- a/snat.sh
+++ b/snat.sh
@@ -1,24 +1,24 @@
 #!/bin/bash
 set -x
 
-# wait for eth1
+# Wait for eth1
 while ! ip link show dev eth1; do
   sleep 1
 done
 
-# enable IP forwarding and NAT
+# Enable IP forwarding
 sysctl -q -w net.ipv4.ip_forward=1
+
+# Disable ICMP redirects on eth1
 sysctl -q -w net.ipv4.conf.eth1.send_redirects=0
-iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
 
-# prevent setting the default route to eth0 after reboot
-rm -f /etc/sysconfig/network-scripts/ifcfg-eth0
+# Configure NAT
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
-# switch the default route to eth1
-ip route del default dev eth0
+# Disable reverse path protection
+for i in $(find /proc/sys/net/ipv4/conf/ -name rp_filter) ; do
+  echo 0 > $i;
+done
 
 # wait for network connection
 curl --retry 10 http://www.example.com
-
-# reestablish connections
-systemctl restart amazon-ssm-agent.service