Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
nodesocket 3 hours ago

I build my own NAT instances from Debian Trixie with Packer on AWS. AWS built-in NAT Gateways use an absurdly outdated and end-of-life version of Amazon Linux and are ridiculously expensive (especially traffic).

The bash configuration is literally a few lines:

    cat <<'EOF' | sudo tee /etc/sysctl.d/99-ip-forwarding.conf > /dev/null
    net.ipv4.ip_forward=1
    EOF

    sudo sysctl --system

    sudo iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
    sudo iptables -F FORWARD
    sudo iptables -A FORWARD -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A FORWARD -o ens5 -j ACCEPT
    sudo iptables-save | sudo tee /etc/iptables/rules.v4 > /dev/null
Change ens5 with your instance network interface name. Also, VERY IMPORTANT you must set source_dest_check = false on the EC2 NAT instances.

Also, don’t assign a EIP to your EC2 NAT instances (unless you absolutely must persist a given public IP) as that counterintuitively routes through public traffic. Just use a auto-assigned public IP (no EIP).

  NAT instance with EIP
    - AWS routes it through the public AWS network infrastructure (hairpinning).
    - You get charged $0.01/GB regional data transfer, even if in the same AZ.
topspin 42 minutes ago | parent | next [-]

"NAT instances"

That's what you did before AWS had the "NAT Gateway" managed service. It's literally called "NAT Instance" in current AWS documentation, and you can implement it in any way you wish. Of course, you don't have to limit yourself to iptables/nftables etc. OPNsense is a great way to do a NAT instance.

nodesocket 37 minutes ago | parent [-]

I believe the NAT instances also use super old and end-of-life Amazon Linux. I prefer Debian Trixie with Packer and EC2 instances and no EIP. Most secure, performant, and cost effective setup possible.

> NAT AMI is built on the last version of the Amazon Linux AMI, 2018.03, which reached the end of standard support on December 31, 2020 and end of maintenance support on December 31, 2023.

unquietwiki 3 hours ago | parent | prev | next [-]

Assigning an IP is ideal if you're having to whitelist traffic to/from a data center, application, or service.

nodesocket 2 hours ago | parent [-]

Sure that one’s case, though you might be able to give out a host instead of IP to others to whitelist. Then you just set a low TTL and update the DNS record.

Nextgrid 2 hours ago | parent | prev [-]

OpenWrt is also a good option.