☩ Walking in Light with Christ – Faith, Computing, Diary

How to make GRE tunnel iptables port redirect on Linux

Saturday, 20th August 2011

I’ve recently had to build a Linux server with some other servers behind the router with NAT.
One of the hosts behind the Linux router was running a Window GRE encrypted tunnel service. Which had to be accessed with the Internet ip address of the server.
In order < б>to make the GRE tunnel accessible, a bit more than just adding a normal POSTROUTING DNAT rule and iptables FORWARD is necessery.

As far as I’ve read online, there is quite of a confusion on the topic of how to properly configure the GRE tunnel accessibility on Linux , thus in this very quick tiny tutorial I’ll explain how I did it.

1. Load the ip_nat_pptp and ip_conntrack_pptp kernel module

linux-router:~# modprobe ip_nat_pptp
linux-router:~# modprobe ip_conntrack_pptp

These two modules are an absolutely necessery to be loaded before the remote GRE tunnel is able to be properly accessed, I’ve seen many people complaining online that they can’t make the GRE tunnel to work and I suppose in many of the cases the reason not to be succeed is omitting to load this two kernel modules.

2. Make the ip_nat_pptp and ip_nat_pptp modules to load on system boot time

linux-router:~# echo 'ip_nat_pptp' >> /etc/modules
linux-router:~# echo 'ip_conntrack_pptp' >> /etc/modules

3. Insert necessery iptables PREROUTING rules to make the GRE tunnel traffic flow

linux-router:~# /sbin/iptables -A PREROUTING -d 111.222.223.224/32 -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.1.3:1723
linux-router:~# /sbin/iptables -A PREROUTING -p gre -j DNAT --to-destination 192.168.1.3

In the above example rules its necessery to substitute the 111.222.223.224 ip address withe the external internet (real IP) address of the router.

Also the IP address of 192.168.1.3 is the internal IP address of the host where the GRE host tunnel is located.

Next it’s necessery to;

4. Add iptables rule to forward tcp/ip traffic to the GRE tunnel

linux-router:~# /sbin/iptables -A FORWARD -p gre -j ACCEPT

Finally it’s necessery to make the above iptable rules to be permanent by saving the current firewall with iptables-save or add them inside the script which loads the iptables firewall host rules.
Another possible way is to add them from /etc/rc.local , though this kind of way is not recommended as rules would add only after succesful bootup after all the rest of init scripts and stuff in /etc/rc.local is loaded without errors.

Afterwards access to the GRE tunnel to the local IP 192.168.1.3 using the port 1723 and host IP 111.222.223.224 is possible.
Hope this is helpful. Cheers 😉

Share this on:

• 
• 

• Tweet

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Hey long time now see, thanks for dropping back again! 🙂

More helpful Articles

• How to install and configure Jabber Server (Ejabberd) on Debian Lenny GNU / Linux
• How to auto restart CentOS Linux server with software watchdog (softdog) to reduce server downtime
• How to automatically reboot (restart) Debian GNU Lenny / Squeeze Linux on kernel panic, some general CPU overload or system crash
• How to remove and disable BlueTooth support on Debian GNU / Linux servers
• How to completely disable Replication in MySQL server 5.1.61 on Debian GNU / Linux
• How to install VirtualBox Virtual Machine to run Windows XP on Ubuntu Linux (11.10)
• How to list enabled VirtualHosts in Apache on GNU / Linux and FreeBSD
• How to create ssh tunnels / ssh tunneling on Linux and FreeBSD with openssh
• How to make NAT enable hosts in a local network to access the internet, create port forwarding to local IPs behind the router using iptables
• How to install and configure djbdns from source as a Cachening Localhost Proxy resolver to increase resolving efficiency on Debian 6 Squeeze
• How to load custom Kernel (tun) module in CentOS and RHEL Linux
• Enabling Active FTP connections on CentOS 5.5
• How to disable IPv6 on Debian / Ubuntu / CentOS and RHEL Linux
• How to install display and audio drivers on motherboard Asus P5B-Plus with video ATI Radeon HD 2600 XT on Windows XP

Download PDF

Previoust Post: « How to restart Microsoft IIS with command via Windows command line

Next Post: How to set up Path to .exe GNUWin32 binary files in Windows XP / Vista / 2003 / 2008 (Setting PATH to executables on Windows) »

Tags: bootup, Cheers, configure, confusion, dport, encrypted tunnel, external internet, flow, Forward, GRE, gre tunnel, Hope, host, hosts, How to, init, init scripts, Insert, internal ip address, internet ip address, ip nat, iptables, iptables firewall, kernel module, kernel modules, linux router, linux server, Load, make, modprobe, module linux, necessery, POSTROUTING, pptp, reason, redirect, sbin, system boot, tcp, topic, traffic flow, tutorial, window

This entry was posted on Saturday, August 20th, 2011 at 10:48 pm and is filed under Linux, System Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “How to make GRE tunnel iptables port redirect on Linux”

1. febcrash says:

   November 13, 2012 at 5:43 pm

   Firefox 16.0 Ubuntu x64
   Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0

   Thanks a lot for this usefull post.

   You’ve juste made a little mistake on “linux-router:~# modpribe ip_conntrack_pptp” line.
   It’s “modprobe”, not “modpribe”

   View CommentView Comment

   Reply
   • admin says:

     November 13, 2012 at 7:00 pm

     Firefox 3.6.3 Windows 7
     Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

     yes probably in the hurry will fix that thx 🙂
     Glad it helped

     View CommentView Comment

     Reply
2. Johnny says:

   August 1, 2013 at 9:14 am

   Google Chrome 26.0.1410.64 Windows 7 x64 Edition
   Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31

   Hi.
   help me with an opinion.
   when i launch service iptables stop
   connection between 2 windows vpn works
   when i start .. connection drop.. 
   so in general my rules look like
    
   # Clear rules
   iptables -t filter -F
   iptables -t filter -X
   echo – Clear rules : [OK]
    
   # Don't break established connections
   iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
   iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
   echo – established connections : [OK]
    
   # Loopback
   iptables -t filter -A INPUT -i lo -j ACCEPT
   iptables -t filter -A OUTPUT -o lo -j ACCEPT
   echo – Loopback : [OK]
    
   #routing
   iptables –table nat –append POSTROUTING –out-interface eth1 -j MASQUERADE
   iptables –append FORWARD –in-interface eth0 -j ACCEPT
   and some filters for w00tw00t
    
   I dont have privat ips .. only Public
   and I don#t know to make an working rule for windows vpn
   Can u help me ? thanks

   View CommentView Comment

   Reply
   • admin says:

     August 1, 2013 at 12:45 pm

     Google Chrome 27.0.1453.110 GNU/Linux x64
     Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36

     Hi why you use MASQUARADE (its nowadays obsolete)
     iptables –table nat –append POSTROUTING –out-interface eth1 -j MASQUERADE
     iptables –append FORWARD –in-interface eth0 -j ACCEPT

     I would suggest you remove this rules and use instead

     iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -d 192.168.5.0/24 -j SNAT –to-source 192.168.5.9
     # iptables SNAT rules for OpenVPN addrs routing from 10.8.0.0 to access 192.168.5.0
     /sbin/iptables -t nat -I POSTROUTING -s 192.168.5.0/24 -d 10.8.0.0/24 -j SNAT –to-source 10.8.0.1
     # iptables SNAT rules to allow connected OpenVPN user to access Internet via 109.104.206.253
     /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j SNAT –to 108.104.205.254

     Here I assume

     192.168.5.0/24 (is your network of hosts 192.168.5.1-255 on interface eth1)
     10.8.0.0 is assigned IP by VPN connected hosts
     108.104.205.254 – is your external (internet) IP address configured on eth0

     Hope thsi helops.
     Rest of your rules seems ok

     If problems persist try to temporary comment

     iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
     iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

     #iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
     #iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
     Best Georgi

     View CommentView Comment

     Reply
3. Leaj says:

   October 16, 2014 at 1:30 pm

   Google Chrome 38.0.2125.101 GNU/Linux
   Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36

   Thank God for you, got my linux firewall passing GRE now after days of testing until i read this post. Thanks.
   I added one line though ‘iptables -A INPUT -i eth0 -p gre -j ACCEPT’.
   thanks again.

   View CommentView Comment

   Reply
4. Mario says:

   February 4, 2017 at 4:56 am

   Google Chrome 55.0.2883.87 Windows 7
   Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

   Excelent!!

   View CommentView Comment

   Reply

Leave a Reply

Click here to cancel reply.

Name (required)

Mail (will not be published) (required)

Website

Notify me of followup comments via e-mail

Δ