How to make GRE tunnel iptables port redirect on
Linux
I've recently had to build a Linux server with some other servers
behind the router with NAT.
One of the hosts behind the Linux router was running a Window GRE
encrypted tunnel service. Which had to be accessed with the
Internet ip address of the server.
In order to make the GRE tunnel accessible, a bit more than just
adding a normal POSTROUTING DNAT rule and iptables FORWARD is
necessery.
As far as I've read online, there is quite of a confusion on the
topic of
how to properly configure the GRE tunnel accessibility
on Linux , thus in this very quick tiny tutorial I'll explain
how I did it.
1. Load the ip_nat_pptp and ip_conntrack_pptp kernel
module
linux-router:~# modprobe ip_nat_pptp
linux-router:~# modpribe ip_conntrack_pptp
These two modules are an absolutely necessery to be loaded before
the remote GRE tunnel is able to be properly accessed, I've seen
many people complaining online that they can't make the GRE tunnel
to work and I suppose in many of the cases the reason not to be
succeed is omitting to load this two kernel modules.
2. Make the ip_nat_pptp and ip_nat_pptp modules to load on
system boot time
linux-router:~# echo 'ip_nat_pptp' >>
/etc/modules
linux-router:~# echo 'ip_conntrack_pptp' >>
/etc/modules
3. Insert necessery iptables PREROUTING rules to make the GRE
tunnel traffic flow
linux-router:~# /sbin/iptables -A PREROUTING -d
111.222.223.224/32 -p tcp -m tcp --dport 1723 -j DNAT
--to-destination 192.168.1.3:1723
linux-router:~# /sbin/iptables -A PREROUTING -p gre -j DNAT
--to-destination 192.168.1.3
In the above example rules its necessery to substitute the
111.222.223.224 ip address withe the external internet (real
IP) address of the router.
Also the IP address of
192.168.1.3 is the internal IP
address of the host where the GRE host tunnel is located.
Next it's necessery to;
4. Add iptables rule to forward tcp/ip traffic to the GRE
tunnel
linux-router:~# /sbin/iptables -A FORWARD -p gre -j
ACCEPT
Finally it's necessery to make the above iptable rules to be
permanent by saving the current firewall with
iptables-save
or add them inside the script which loads the iptables firewall
host rules.
Another possible way is to add them from
/etc/rc.local ,
though this kind of way is not recommended as rules would add only
after succesful bootup after all the rest of init scripts and stuff
in /etc/rc.local is loaded without errors.
Afterwards access to the GRE tunnel to the local IP
192.168.1.3 using the port
1723 and host IP
111.222.223.224 is possible.
Hope this is helpful. Cheers ;)