0

Purpose is to "protect" my backend dedicated server (B) using a front VPS (A) with a GRE tunnel and use the the new stablished interface (GRE1) as default on (B) in order not to leak the server (B) IP address. That means backend server (B) will be visible with the front VPS (A) IP address.

Both, VPS and dedicated server, are in a remote datacenter.

What works:

  1. GRE tunnel works between VPS (A) and server (B)
  2. VPS (A) is forwarding all ports directly to server (B)
  3. Route specific IP addresses through the new GRE1 interface on (B)

What doesn't work on server (B)

To redirect all traffic through the new established GRE1 interface using the GRE tunnel

What is done before

On VPS (A), the frontend; 10.0.0.1

#!/bin/bash
##Front-VPS-A
apt install iptables iproute2
modprobe ip_gre
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
ip tunnel add gre1 mode gre local FRONT-IP-A remote BACKEND-IP-B ttl 255
ip addr add 10.0.0.1/30 dev gre1
ip link set gre1 up
iptables -t nat -A POSTROUTING -s 10.0.0.0/30 ! -o gre+ -j SNAT --to-source FRONT-IP
iptables -A FORWARD -d 10.0.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.0.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -d FRONT-IP-A -j DNAT --to-destination 10.0.0.2

On backend server (B); 10.0.0.2

#!/bin/bash
#Backend Server B
apt install iptables iproute2
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
modprobe ip_gre
ip tunnel add gre1 mode gre local BACKEND-IP-B remote FRONT-IP-A ttl 255
ip addr add 10.0.0.2/30 dev gre1
ip link set gre1 up
echo '100 GRE' >> /etc/iproute2/rt_tables
ip rule add from 10.0.0.0/30 table GRE
ip route add default via 10.0.0.1 table GRE

Checking the results on backend server (B), 10.0.0.2

curl http://www.cpanel.net/showip.cgi --interface=10.0.0.2

ist delivering the ip adress from front VPS (A). But using

curl http://www.cpanel.net/showip.cgi

is still delivering the IP from the backend server (B).

How I would be able to use the new GRE1 interface on server (B) as default without killing my whole remote connection? I know that it's not a VPN/Wireguard connection but I think it's should be possible.

Dave M
  • 4,514
  • 22
  • 31
  • 30
safect
  • 13
  • 5
  • All that does is mess up your logging, because the server can no longer tell where traffic came from, and it's still exposed on the Internet. No attacker cares about the server's real IP address, only whether they can send packets to it. – Simon Richter May 17 '21 at 11:16

1 Answers1

0

I found following solution that works for me

Frontend server, edit your front-ip and backend-ip addresses

#!/bin/sh
##A-Server-Front
apt install iptables iproute2
lsmod | grep gre
modprobe ip_gre
lsmod | grep gre
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
ip tunnel add gre1 mode gre local front-ip remote backend-ip ttl 255
ip addr add 10.0.0.1/30 dev gre1
ip link set gre1 up
iptables -t nat -A POSTROUTING -s 10.0.0.0/30 ! -o gre+ -j SNAT --to-source front-ip
iptables -A FORWARD -d 10.0.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.0.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -d front-ip -j DNAT --to-destination 10.0.0.2
iptables -A FORWARD -d 10.0.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Backend server, edit your front-ip and backend-ip addresses

#!/bin/sh
##B-Server-Backend
apt install iptables iproute2
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
lsmod | grep gre
modprobe ip_gre
lsmod | grep gre
ip tunnel add gre1 mode gre local backend-ip remote front-ip ttl 255
ip addr add 10.0.0.2/30 dev gre1
ip link set gre1 up
echo '100 GRE' >> /etc/iproute2/rt_tables
ip rule add from 10.0.0.0/30 table GRE
ip route add default via 10.0.0.1 table GRE
#final IP check
curl http://www.cpanel.net/showip.cgi --interface 10.0.0.2
safect
  • 13
  • 5