This project provides a Dockerized setup for a NAT (Network Address Translation) Gateway on an Amazon Linux 2023 instance. A NAT Gateway is useful for routing traffic from private subnets to the internet while keeping the originating IP address private.
nat-gateway-docker/
├── Dockerfile # Docker configuration file to build the NAT gateway
├── README.md # Project documentation
├── start-nat.sh # Script to configure NAT rules within the container
├── .gitignore # Specifies files/folders to ignore in Git
└── docs/
└── setup-guide.md # Additional setup guide or documentation
- Amazon Linux 2023: This project assumes you’re running it on an Amazon Linux 2023 EC2 instance.
- Docker: Docker must be installed and running on the EC2 instance.
- Git: Required for cloning and managing the project repository.
- GitHub SSH Access: Set up SSH access for GitHub to push the project (if using SSH URLs).
Clone this project to your Amazon Linux instance:
git clone git@github.com:rMi99/nat-gateway-docker.git
cd nat-gateway-docker
Enable IP forwarding on the Amazon Linux host machine to allow NAT functionality:
sudo sysctl -w net.ipv4.ip_forward=1
To make this setting persistent across reboots, add it to /etc/sysctl.conf
:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p # Reload sysctl settings
Use the following command to build the Docker image for the NAT Gateway:
docker build -t nat-gateway .
Run the Docker container with elevated privileges and host networking:
docker run --privileged -d --network host nat-gateway
The --privileged
flag allows the container to manage networking, and --network host
enables the container to use the host's network interfaces, which is necessary for a NAT gateway.
Once the Docker container is running, your Amazon Linux instance will act as a NAT Gateway.
-
Traffic Routing: Any traffic originating from devices or instances within the same VPC but from private subnets can be routed through this instance for internet access.
-
Logs: Check container logs to confirm NAT operations are running as expected:
docker logs $(docker ps -q --filter ancestor=nat-gateway)
To stop the NAT Gateway, simply stop and remove the Docker container:
docker stop $(docker ps -q --filter ancestor=nat-gateway)
docker rm $(docker ps -aq --filter ancestor=nat-gateway)
If you see an error like:
/proc/sys/net/ipv4/ip_forward: Read-only file system
This occurs because the Docker container cannot modify /proc
settings. IP forwarding must be enabled on the host system before starting the container. See the Enable IP Forwarding on the Host section above.
To verify that IP forwarding is correctly enabled on the host:
sysctl net.ipv4.ip_forward
The output should be:
net.ipv4.ip_forward = 1
If devices in your private subnets cannot access the internet through the NAT Gateway:
- Check Security Groups: Ensure the security group attached to the EC2 instance allows outbound internet traffic.
- Check Route Tables: The route table associated with the private subnets should have a route pointing to the NAT Gateway instance.
For more in-depth setup instructions and configurations, refer to docs/setup-guide.md
.
This project is licensed under the MIT License. See the LICENSE file for details.