search

AndrewGuenther / fck-nat

Feasible cost konfigurable NAT: An AWS NAT Instance AMI
https://fck-nat.dev
MIT License
1.32k stars 53 forks source link

Rotating proxy using fck-nat #69

Open garysassano opened 9 months ago

garysassano commented 9 months ago

Can you link 5 Elastic IP addresses to your EC2 instance? The scenario involves an AWS Lambda function invoking the NAT Instance, which then selects a random EIP for internet requests, effectively creating a rotating proxy system.

fl0wo commented 9 months ago

That would be very useful indeed.

I would like the NAT instance to have some external IPs within an "IP list" (allow-list). Perhaps the "eip_id" directive in the configuration file could turn into an "array of EIP ids"?

Then, for example, a Lambda inside that NAT would address the outside with "one of these public IPs" (randomly chosen each time).

AndrewGuenther commented 8 months ago

This can be done with snat, but I'm worried about breaking existing users and consumers of the eip_id directive. I was already planning to migrate to snat for v2 so I'm going to keep this in mind when doing that and tag for the 2.0 release.

fl0wo commented 8 months ago

Thank you Andrew for the update.

Do you think it is somehow possible to achieve the same result with the current version of fck-nat?

Maybe by spinning up 5 different fck-natinstances under the same VPC? Each with an associated eip_id, resulting in 5 IPs.

I'm not sure, do you think this is feasible?

AndrewGuenther commented 8 months ago

@fl0wo It wouldn't be possible as you've described. You get only one default route per subnet. So while you could have many subnets each with a default route pointing to a different fck-nat, it wouldn't quite be the behavior requested in the initial submission.

garysassano commented 6 months ago

AWS just introduced the ability to dynamically remove and add EIPs to EC2 instances. I believe this feature could be a game-changer for implementing a rotating proxy with fck-nat.

AndrewGuenther commented 6 months ago

I don't see how that feature changes anything here?

garysassano commented 6 months ago

My understanding is that if you replace the EIP, you are essentially changing the public IP address of the NAT instance. Consequently, any traffic routed through the NAT instance, including traffic from your Lambda functions, will use the new EIP for internet access.

To clarify, this method could be used to rotate the NAT instance EIP at a predetermined interval (every X minutes). This is different from the approach that was mentioned earlier, which involved selecting a random EIP from a pool for each individual request. Both methods offer IP diversification, but they achieve it in distinct ways.