Self-hosting a NAT Gateway

69 comments

·November 17, 2025

Arch-TK

The article seems to perpetuate one of those age old myths that NAT has something to do with protection.

Yes, in a very superficial sense, you can't literally route a packet over the internet backwards to a host behind NAT without matching a state entry or explicit port forwarding. But implementing NAT on it's own says nothing about the behavior of your router firewall with regards to receiving Martians, or with regards to whether the router firewall itself accepts connections and if the router firewall itself isn't running some service which causes exposure.

To actually protect things behind NAT you still need firewall rules and you can keep those rules even when you are not using NAT. Thus those rules, and by extension the protection, are separable from the concept of NAT.

This is the kind of weird argument that has caused a lot of people who hadn't ever used IPv6 to avoid trying it.

gldrk

>Yes, in a very superficial sense, you can't literally route a packet over the internet backwards to a host behind NAT without matching a state entry or explicit port forwarding.

Don’t forget source routing. That said, depending on your threat model, it’s not entirely unreasonable to just rely on your ISP’s configuration to protect you from stuff like this, specifically behind an IANA private range.

0xbadcafebee

Fwiw, the solutions mentioned here don't seem to properly secure the kernel's network stack against common attacks (rp_filter, accept_redirects, accept_source_route, syncookies, netfilter rules, etc). Ask your local security guru to harden the instance before deploying.

tonymet

In aws you can use IPv6 with either security groups or EIGW to avoid NAT fees altogether (you still pay for transfer fees )

Death , taxes and transfer fees

mannyv

Moving to IPv6 works until it doesn't.

kenrose

We did this at OpsLevel a few years back. Went from AWS managed NAT gateway to fck-nat (Option 1 in the article).

It’s a (small) moving part we now have to maintain. But it’s very much worth the massive cost savings in NATGateway-Bytes.

A big part of OpsLevel is we receive all kinds of event and payload data from prod systems, so as we grew, so did our network costs. fck-nat turned that growing variable cost into an adorably small fixed one.

nodesocket

I looked at using fck-nat, but decided it was honestly easier to build my own Debian Trixie packer images. See my comment below[1]. How has your experience been with fck-nat?

[1] https://news.ycombinator.com/item?id=46010302

stormbeard

I can't believe people are paying these crazy amounts for what is basically a fleet of firewalls. What is the difficulty in running VMs with nftables rules?

notatoad

running a VM where? on an ec2 instance? who's going to keep that updated for me? who's going to reprovision it when aws retires the underlying hardware? who's going to monitor it for PCI compliance for me? i don't want to deal with all that. i could dump it on fargate, but at that point it's barely cheaper than just using the official version.

i've had to look at my nat gateway zero times since i set it up a couple years ago. i can't say that about any VM host i've got. to me, that's easily worth the few dollars a month that aws charges for it. it's cheaper than hiring somebody, and it's cheaper than me.

moduspol

It costs a lot more than a few bucks when you’re putting a lot of traffic through it. And running your own NAT instance does not incur per-GB traffic costs.

That said, the paid NAT gateways do also publish metrics. That can be nice when debugging a legitimate issue, such as when your gateway actually runs out of NAT ports to use.

null

[deleted]

gerdesj

Or if nft is too complicated (firewalld) then do ufw.

Nextgrid

1) You can't `npm install` it, which is a huge barrier to entry to the modern breed of "engineers".

2) Companies will happily pay thousands in recurring fees for the built-in NAT gateway, but if an engineer asks for even half that as a one-off sum to motivate them to learn Linux networking/firewalling, they'd get a hard no, so why should they bother?

notTooFarGone

It's honestly ridiculous that people now see that self hosting is stupidly cheaper and still 99.9% reliable.

No your service does not need the extra .099% availability for 100x the price...

Make your own VPN while you are at it, wireguard is basically the same config.

Numerlor

For company hosting cloud solutions gets you the various compliance stuff for free which can be worth it if you're not too large, and of course faster turnaround if you need to get a product out.

For personal a cheap vps will end up costing around the same as something you can do on your own, without the risk of messing up your machine/network from a vulnerable endpont

IgorPartola

This is really it: compliance. The cost is in having to prove that you did the right things. But I do wonder if we will see an easier path forward with that. After all if there was a way to pay someone a once a year fee for an audit and filling out the paperwork and the cost was lower than the cost of using AWS then surely people would do that and it is an opportunity for an audit business that is willing to work with self-hosted setups. Or just have GPT-5 fill out the compliance docs. I suspect it won’t be long until GPT-5 is reading them.

faizshah

I think AI coding is another part of why this is seeing a resurgence. It’s a lot quicker to build quick and dirty scripts or debug the random issues that come up self hosting.

radicaldreamer

A lot of this is support. If you’re self hosting, when things don’t work the way they should, the team has no one to blame. On AWS, they can always lean on aws not working the way it should as an excuse.

null

[deleted]

nwellinghoff

I think it might be as simple as ipv4 is just nicer to look at…maybe we should have just done “ipv5” and added another block. Eg 1.1.1.1.1. I know its stupid, but ipv6 addresses are just so hard to remember and look at that I think its just human nature to gravitate towards the simplicity of ipv4.

miyuru

How did you access HN? is it by typing its IPv4 address?

denkmoon

dead::beef is just as memorable as 1.1.1.1, and my v6 delegated prefix is just as unmemorable as my public v4. The "easier to remember" argument just sucks hard.

dboreham

This was all discussed at length in 1993.

ajsnigrutin

The problem with "add another block" is, that you have to change everything everywhere to make it work... and if you're changing everything, why not expand it properly.

Only a tiny minority of people have to look at those addresses, the majority just types "facebook", enter, clicks on first google result and gets facebook (because ".com" is too hard to write).

theideaofcoffee

I have difficulty remembering ten numbers, why do I have to say 1-212-487-1965 when I can just say Santa Rosita 71965? Maybe we should have just done another exchange name and added another name. Eg Hawthorne Santa Rosita 71965. I know its stupid, but 10 digit phone numbers are just so hard to remember and look at that I think its just human nature to gravitate towards the simplicity of telephone exchange prefixes.

Yet again, another fundamental misunderstanding (either genuine or not, I'm not sure) about the low-level technologies and their origins that underpin all of this. "Can't we just..."? No.

api

As an OG networking person, developer, and Linux user, the state of modern dev culture just makes me sad.

Modern devs are helpless in the face of things I taught myself to do in a day or two when I was fourteen, and they’re paralyzed with terror at the thought of running something.

It’s “hard” goes the cliche. Networking is “hard.” Sys admin is “hard.” Everything is “hard” so you’d better pay an expert to do it.

Where do we get these experts? Ever wonder that?

It’s just depressing. Why even bother.

It really makes me worry about who will keep all this stuff running or build anything new in the future if we are losing not only skills but spine and curiosity. Maybe AI.

amarant

I actually kinda think ai will help with this, in a roundabout way.

I think of AI as a kind of floor, a minimum required skill to be able to get a job as a professional anything. If you want to find paid work as a developer, you have to at least be better than AI at the job.

Optimistically AI will filter out all the helpless Devs who can't get anything done from the job market. "Code monkeys" won't be a thing.

Juniors will have to enter unpaid trainee programs I guess, but that might not be such a bad thing

theideaofcoffee

All of this. I despair with some of the takes on basic technology being hard. And when you try to defend understanding just the most rudimentary things, you're labeled a problem because you should just be paying out the nose for the service and writing even more shit code to cover it up.

nodesocket

I build my own NAT instances from Debian Trixie with Packer on AWS. AWS built-in NAT Gateways use an absurdly outdated and end-of-life version of Amazon Linux and are ridiculously expensive (especially traffic).

The bash configuration is literally a few lines:

    cat <<'EOF' | sudo tee /etc/sysctl.d/99-ip-forwarding.conf > /dev/null
    net.ipv4.ip_forward=1
    EOF

    sudo sysctl --system

    sudo iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
    sudo iptables -F FORWARD
    sudo iptables -A FORWARD -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A FORWARD -o ens5 -j ACCEPT
    sudo iptables-save | sudo tee /etc/iptables/rules.v4 > /dev/null

Change ens5 with your instance network interface name. Also, VERY IMPORTANT you must set source_dest_check = false on the EC2 NAT instances.

Also, don’t assign a EIP to your EC2 NAT instances (unless you absolutely must persist a given public IP) as that counterintuitively routes through public traffic. Just use a auto-assigned public IP (no EIP).

  NAT instance with EIP
    - AWS routes it through the public AWS network infrastructure (hairpinning).
    - You get charged $0.01/GB regional data transfer, even if in the same AZ.

vladvasiliu

> Also, don’t assign a EIP to your EC2 NAT instances (unless you absolutely must persist a given public IP) as that counterintuitively routes through public traffic. Just use a auto-assigned public IP (no EIP).

Could you point me to somewhere I can read more about this? I didn't know there was an extra charge for using an EIP (other than for the EIP itself).

topspin

"NAT instances"

That's what you did before AWS had the "NAT Gateway" managed service. It's literally called "NAT Instance" in current AWS documentation, and you can implement it in any way you wish. Of course, you don't have to limit yourself to iptables/nftables etc. OPNsense is a great way to do a NAT instance.

nodesocket

I believe the NAT instances also use super old and end-of-life Amazon Linux. I prefer Debian Trixie with Packer and EC2 instances and no EIP. Most secure, performant, and cost effective setup possible.

> NAT AMI is built on the last version of the Amazon Linux AMI, 2018.03, which reached the end of standard support on December 31, 2020 and end of maintenance support on December 31, 2023.

sarathyweb

We can follow the documentation for setting up the NAT instance on any distro. I tested with Rocky Linux 9 and it worked.

unquietwiki

Assigning an IP is ideal if you're having to whitelist traffic to/from a data center, application, or service.

nodesocket

Sure that one’s case, though you might be able to give out a host instead of IP to others to whitelist. Then you just set a low TTL and update the DNS record.

Nextgrid

OpenWrt is also a good option.

hk1337

I ran a NAT on a floppy back in college, in 2000.

dboreham

For anyone else who is super confused as to wtf this is about: 1) it's not "NAT Gateway " but rather "The AWS service called NAT Gateway" and 2) it's not "self-hosting" but "hosting in EC2", in the same sense that "running postgresql on an EC2 instance" wouldn't be "self hosting aurora".

mystraline

Yeah, I just use a VPS box I pay $20/year for. Only the most basic config goes on this machine. Basically load is 0.1 , and has no data.

Then I run my stuff locally.

And then I use ssh tunneling to forward the port to localhost of the remote machine. Its a unit file, and will reconstruct the tunnel every 30s if broken. So at most 30s downtime.

Then nginx picks it up.

rmunn

Brilliant.

I use Tailscale myself, but if you want everything totally under your control (and don't want to go to the trouble of setting up headscale or something similar) then that's one of the absolutely simplest, lowest-effort ways of doing it. EDIT: Well, except for the VPS box I suppose, but if that provider went down or you had any reason to suspect they were doing anything suspicious, it would be quite simple to jump to a different provider, so that's pretty darn close to controlling everything yourself.

mystraline

Yep. Ive had the same provider for 3y going on 4.

Particular things: I use letsencrypt wildcard, so my subdomains aren't leaked. If you register per subdomain, LE leaks all your subdomains as part of some transparency report. Learned that and had to burn that domain.

The VPS is from LowEndBox. Like 2 core, 20GB storage 2GB ram. But runs perfectly fine.

I run jellyfin, audiobookshelf, Navidrome, and Romm. Ssh tunnel per application.

It would also be trivial to switch providers as well. But again, not a seed box, not doing torrents, not doing anything that would attract attention. And best of all, no evidence on the VPS. Its all SSL and SSH.

BobbyTables2

I do something similar using an openvpn tunnel (home->vps). Iptables rules on the VPS redirect services to the VPN client IP.

Client automatically deals with reconnecting, never have to touch it.

SSH tunnel would have been simpler, just didn’t want it open.

SSH tunnel probably needs the keep alive on, otherwise connection loss may not be detected.