diff --git a/cmd/nat-gateway/main.go b/cmd/nat-gateway/main.go
index 325e1ba..7b13b05 100644
--- a/cmd/nat-gateway/main.go
+++ b/cmd/nat-gateway/main.go
@@ -181,11 +181,19 @@ func main() {
 		setupLog.Error(err, "unable to create FouTunnelController")
 		os.Exit(1)
 	}
+	if err := fc.Init(); err != nil {
+		setupLog.Error(err, "failed to Initialize FoUTunnelController")
+		os.Exit(1)
+	}
 	nc, err := nat.NewController("eth0", ipv4, ipv6)
 	if err != nil {
 		setupLog.Error(err, "unable to create nat.Controller")
 		os.Exit(1)
 	}
+	if err := nc.Init(); err != nil {
+		setupLog.Error(err, "failed to Initialize nat.Controller")
+		os.Exit(1)
+	}
 
 	if err = controller.NewPodWatcher(
 		mgr.GetClient(),
diff --git a/config/samples/nat-client.yaml b/config/samples/nat-client.yaml
new file mode 100644
index 0000000..01b776f
--- /dev/null
+++ b/config/samples/nat-client.yaml
@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nat-client
+  annotations:
+    egress.pona.cybozu.com/egress: egress
+  labels:
+    app.kubernetes.io/component: nat-client
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: nat-client
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: nat-client
+      annotations:
+        egress.pona.cybozu.com/egress: egress
+    spec:
+      containers:
+      - name: nat-client
+        image: ghcr.io/cybozu/ubuntu-debug:22.04
+        command: ["sleep"]
+        args:
+          - infinity
diff --git a/dockerfiles/Dockerfile.nat-gateway b/dockerfiles/Dockerfile.nat-gateway
index 44280af..4b9609f 100644
--- a/dockerfiles/Dockerfile.nat-gateway
+++ b/dockerfiles/Dockerfile.nat-gateway
@@ -20,7 +20,9 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o na
 
 FROM ghcr.io/cybozu/ubuntu:22.04
 WORKDIR /
+RUN apt-get -yy update && apt-get install -yy netbase kmod iptables iproute2
+
 COPY --from=builder /workspace/nat-gateway .
-USER 65532:65532
+USER 0:0
 
 ENTRYPOINT ["/nat-gateway"]