0

I'm have configured GRE tunnels between centos machines and corresponding routing tables on individual centos machines as shown in the image:

I dont have enough reputation to post images

Router1-------gre1---------Transit-Router---------gre2--------Router2

10.2.32.0/24--Router1--10.0.0.1---gre1---10.0.0.2--Transit-Router--11.0.0.2---gre2--11.0.0.1--Router2--10.4.32.0/24

Im able to Ping from Router-1 to gre1 tunnels other end:

worker]# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.43 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.472 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.291 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.319 ms

The traffic reaches Transit Router over the GRE tunnel(this is verified by tcpdump proto gre)

Ping from Router-2 to gre2 tunnels other end:

worker]# ping 11.0.0.2
PING 11.0.0.2 (11.0.0.2) 56(84) bytes of data.
64 bytes from 11.0.0.2: icmp_seq=1 ttl=64 time=1.10 ms
64 bytes from 11.0.0.2: icmp_seq=2 ttl=64 time=0.392 ms
64 bytes from 11.0.0.2: icmp_seq=3 ttl=64 time=0.369 ms
64 bytes from 11.0.0.2: icmp_seq=4 ttl=64 time=0.258 ms

This traffic too flows on tunnel

and on the transit router I'm able to ping the private address of both Router-1 and Router-2 after adding the routing entry: Transit Router:

[root@vmc-centos conf]# ping 10.2.32.1
PING 10.2.32.1 (10.2.32.1) 56(84) bytes of data.
64 bytes from 10.2.32.1: icmp_seq=1 ttl=64 time=0.589 ms
64 bytes from 10.2.32.1: icmp_seq=2 ttl=64 time=0.380 ms
64 bytes from 10.2.32.1: icmp_seq=3 ttl=64 time=0.383 ms

Router-1:

worker]# tcpdump -i any proto gre -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
04:54:36.684864 IP 10.206.83.3 > 10.206.90.103: GREv0, length 88: IP 10.0.0.2 > 10.2.32.1: ICMP echo request, id 20445, seq 34, length 64
04:54:36.684951 IP 10.206.90.103 > 10.206.83.3: GREv0, length 88: IP 10.2.32.1 > 10.0.0.2: ICMP echo reply, id 20445, seq 34, length 64
04:54:37.684776 IP 10.206.83.3 > 10.206.90.103: GREv0, length 88: IP 10.0.0.2 > 10.2.32.1: ICMP echo request, id 20445, seq 35, length 64

Transit Router:

[root@vmc-centos conf]# ping 10.4.32.1
PING 10.4.32.1 (10.4.32.1) 56(84) bytes of data.
64 bytes from 10.4.32.1: icmp_seq=1 ttl=64 time=0.553 ms
64 bytes from 10.4.32.1: icmp_seq=2 ttl=64 time=0.325 ms
64 bytes from 10.4.32.1: icmp_seq=3 ttl=64 time=0.354 ms

Router-2:

worker]# sudo tcpdump -i any proto gre -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
04:56:57.549823 IP 10.206.83.3 > 10.206.86.199: GREv0, length 88: IP 11.0.0.2 > 10.4.32.1: ICMP echo request, id 20690, seq 24, length 64
04:56:57.549896 IP 10.206.86.199 > 10.206.83.3: GREv0, length 88: IP 10.4.32.1 > 11.0.0.2: ICMP echo reply, id 20690, seq 24, length 64

But now when I try to reach the private network of Router-2(10.4.32.1) from Router-1, the packets reach till Transit Router but are not being forwarded from there to Router-2: Router-1:

worker]# ping 10.4.32.1
PING 10.4.32.1 (10.4.32.1) 56(84) bytes of data.

Transit Router:

[root@vmc-centos conf]# tcpdump -i any proto gre -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
04:59:06.382024 IP 10.206.90.103 > 10.206.83.3: GREv0, length 88: IP 10.0.0.1 > 10.4.32.1: ICMP echo request, id 36131, seq 40, length 64
04:59:07.382007 IP 10.206.90.103 > 10.206.83.3: GREv0, length 88: IP 10.0.0.1 > 10.4.32.1: ICMP echo request, id 36131, seq 41, length 64

Router-2:

[root@wdc-10-206-86-199 worker]# sudo tcpdump -i any proto gre -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

Route forwarding is enabled on all the machines:

[root@vmc-centos conf]# sudo sysctl -p
net.ipv4.ip_forward = 1

iptables on transit router:

[root@vmc-centos ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     gre  --  anywhere             anywhere            
ACCEPT     gre  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     gre  --  anywhere             anywhere            

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Note: I have tried this before and the packets were reaching the other private network. Now Im trying on another setup, theres some config I'm missing.

nguns
  • 3
  • 5
  • Is the transit router a Centos machine? If yes, is the ip_gre module loaded in the transit router? – Nazia Jahan Trisha Apr 03 '20 at 06:58
  • Yes @NaziaJahanTrisha its a Centos Machine and ip_gre module is loaded: ` ~]# lsmod | grep ip_gre ip_gre 22931 0 gre 13144 1 ip_gre ip_tunnel 25163 1 ip_gre ` – nguns Apr 03 '20 at 07:35
  • Did you check the firewall? – Nazia Jahan Trisha Apr 03 '20 at 07:39
  • yes @NaziaJahanTrisha , the packets to 11.0.0.1 from the router are going through the transit router when pinged from the transit router specifically. – nguns Apr 03 '20 at 07:41
  • And morever these are all in the same corp network, so firewall shouldnt be an issue. – nguns Apr 03 '20 at 07:47
  • [root@vmc-centos ~]# modprobe -l | grep gre modprobe: invalid option -- 'l' – nguns Apr 03 '20 at 07:57
  • Sorry for the mistake. Can you also make sure the proper routing is inserted in the IPTables chains ? Proper input output and forward is configured for GRE. Ex - `sudo iptables -A INPUT -p gre -j ACCEPT` – Nazia Jahan Trisha Apr 03 '20 at 08:10
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/106275/discussion-between-nguns-and-nazia-jahan-trisha). – nguns Apr 03 '20 at 11:39
  • @NaziaJahanTrisha I have added the iptables details in section: iptables on transit router: – nguns Apr 03 '20 at 11:39
  • I see you have DOCKER installed. By default this will install a DROP policy on forward, so you will have to explicitly allow any forwarding you want to happen. – Gerrit Apr 03 '20 at 11:41
  • @Gerrit ip forwarding is enabled: [root@vmc-centos ~]# sudo sysctl -p net.ipv4.ip_forward = 1 Am I missing anything? – nguns Apr 03 '20 at 12:17
  • @Gerrit And this worked: iptables --policy FORWARD ACCEPT Could you please add this suggestion as answer, I'll accept it, thanks a ton. – nguns Apr 03 '20 at 12:33
  • And thank you @NaziaJahanTrisha for the initial triage. – nguns Apr 03 '20 at 12:33
  • Please add the routing table of each equipment on the path. Run also a traceroute from endpoints. – Mircea Vutcovici Apr 03 '20 at 13:02
  • Be aware that setting a generic policy to ACCEPT will disrupt container isolation of Docker. This may or may totally not be an issue, depending on your situation. – Gerrit Apr 03 '20 at 13:03

1 Answers1

1

The Docker daemon seems to be running on the forwarding machine. By default to isolate containers on different bridges and the host machine, Docker will install a default DROP policy on the forwarding chain in iptables. There is a setting in Docker daemon to not do this. Set iptables to false in /etc/docker/daemon.json. See Docker and iptables

If you change default policy to ACCEPT, that will work.

iptables --policy FORWARD ACCEPT

BUT, when you (or a package upgrade of docker, or a reboot) restarts the Docker daemon the default policy will again change to DROP, if you didn't change the setting of the docker daemon.

Gerrit
  • 1,552
  • 8
  • 8