How to force certain traffic through GRE tunnel?

Question

Here's what I do.

Server (public internet is 222.x.x.x):

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf  
sysctl -p  
iptunnel add gre1 mode gre local 222.x.x.x remote 115.x.x.x ttl 255  
ip add add 192.168.168.1/30 dev gre1  
ip link set gre1 up  
iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT --to-source 222.x.x.x  
iptables -t nat -A PREROUTING -d 222.x.x.x -j DNAT --to-destination 192.168.168.2

Client (public internet is 115.x.x.x):

iptunnel add gre1 mode gre local 115.x.x.x remote 222.x.x.x ttl 255  
ip add add 192.168.168.2/30 dev gre1  
ip link set gre1 up  
echo '100 tunnel' >> /etc/iproute2/rt_tables  
ip rule add from 192.168.168.0/30 table tunnel  
ip route add default via 192.168.168.1 table tunnel

Until here, all seems going right. But then 1st question, how to use GRE tunnel as a default route? Client computer is still using 115.x.x.x interface as default.

2nd question, how to force only ICMP traffic to go through tunnel, and everything else go default interface? I try doing this in client computer:

ip rule add fwmark 200 table tunnel  
iptables -t mangle -A OUTPUT -p udp -j MARK --set-mark 200

But after doing this, my ping program will timeout (if I not doing 2 command above, and using ping -I gre1 ip instead, it will works). Later I want to do something else also, like only UDP port 53 through tunnel, etc.

3rd question, in client computer, I force one mysql program to listen on gre1 interface 192.168.168.2. In client computer, there's also one more public interface (IP 114.x.x.x)... How to forward traffic properly using iptables and route so mysql also respond a request coming from this 114.x.x.x public interface?

score 1 · Answer 1 · edited Apr 13 '17 at 12:13

1

Question 1

Check out using a gre tunnel as default route.

Question 2 all icmp through tunnel

iptables -t nat -A POSTROUTING -o gre1 -p icmp -j SNAT --to-source 192.168.168.2

Question 3

On client machine, use DNAT to do port forwarding from external port to server port.

Method 2 - port reflection/port mirroring

iptables -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 114.x.x.x --dports 3306 -j DNAT --to-destination 192.168.168.1
iptables -t nat -A POSTROUTING -o gre1 -p tcp -m tcp -m multiport -d 192.168.168.1 --dports 3306 -j SNAT --to-source 192.168.168.2

edited Apr 13 '17 at 12:13

Community

1

answered Dec 14 '12 at 05:01

John Siu

3,667
2
17
23

my main problem in here is how to set up a routing and forwarding properly. In the link that you give, I see the tunneling command is the same. The only difference is the routing command. But I'm not sure how to translate it properly to my network, since their case have some IP range to routes, while I only have 1 interface each, directly connected to public internet. I'm sorry, but the 2nd syntax that you give me doesn't work. It still use 115.x.x.x as default routing. I presume its because -o gre1 only catch if its using gre1 interface? But it's still using venet0 as default. – wew Dec 14 '12 at 05:39
About the 3rd answer, it seems its not as simple as that. I have tried executing this: iptables -t nat -A PREROUTING -d 114.x.x.x -j DNAT --to-destination 192.168.168.2 But due to routing syntax I give above, if mysql client made a request to 114.x.x.x, it will passed to 192.168.168.2, processed by mysqld, then mysqld reply it to 192.168.168.1, then goes to 222.x.x.x. Since it doesn't reply via 114.x.x.x, the packet is invalid. How to properly set up so it will reply back via 114.x.x.x? – wew Dec 14 '12 at 05:40
I updated Question 2 answer already, it was a mistake before. – John Siu Dec 14 '12 at 05:48
Q3, add port reflection. – John Siu Dec 14 '12 at 06:02
I finally do the 1st question by using | ip route del default | | ip route add default via 192.168.168.1 dev gre1 | | ip route add 222.x.x.x via 115.x.x.x dev venet0 | | ip route flush cache | But seems the dns is not working – wew Dec 14 '12 at 06:26
Q1 After reading your comment and re-read your OP. I am a bit confuse for this question(Q1). For client machine, shouldn't it default gateway be 114.x.x.x(internet connection). Or you want SERVER to use gre as default gateway? – John Siu Dec 14 '12 at 06:28
ehm, 114.x.x.x and 115.x.x.x is a public IP interface in a client computer. 222.x.x.x is a public IP interface in a server. Both connected via gre1 interface by 115.x.x.x and 222.x.x.x. 114.x.x.x is not accessible to 222.x.x.x. if you see syntax above, 192.168.168.1 is gre1 interface on server, while 192.168.168.2 is gre1 interface on client. mysqld listen on 192.168.168.2 interface, and successfully respond request from 222.x.x.x. I want to make so that any mysql request via 114.x.x.x also answered. Your port reflection/port mirroring somehow doesn't work. – wew Dec 14 '12 at 06:32
With my Q3 method 2, your server will route mysql request correctly back to client machine, and then out of 114.x.x.x, without setting server default gw to gre. It make request come in from 114, appear as from 192.168.168.2, then send to server, that is why it will route correctly. – John Siu Dec 14 '12 at 06:34
Yes I try it without setting server default gw to gre also. But I need to execute this: echo '100 tunnel' >> /etc/iproute2/rt_tables ip rule add from 192.168.168.0/30 table tunnel ip route add default via 192.168.168.1 table tunnel -------------- so that mysql responds properly via 222.x.x.x also. I don't know why, the mysql request via 114.x.x.x is not replied. – wew Dec 14 '12 at 06:38
can server and client ping each other correctly using "ping 192.168.168.x" ? – John Siu Dec 14 '12 at 06:40
Yes it can reply each other, 192.168.168.1 and 192.168.168.2 is pingable, even without executing command echo '100 tunnel' >> /etc/iproute2/rt_tables ip rule add from 192.168.168.0/30 table tunnel ip route add default via 192.168.168.1 table tunnel – wew Dec 14 '12 at 06:43
If I execute wget http://www.cpanel.net/showip.cgi --bind-address=192.168.168.2 -q -O - in the client computer, it will return 222.x.x.x ip properly after I do route add thingy. If I don't do that, it will be just timeout. the gre things already worked properly. it's just that mysql refuse to listen on 114.x.x.x ip also. – wew Dec 14 '12 at 06:44
How are you testing mysql connection? directly on client machine? Or from a third machine with something like "mysql -u user -p -h 114.x.x.x" ? If you want to test from "client machine", you should use "mysql -u user -p -h 192.168.168.1" – John Siu Dec 14 '12 at 06:48
Actually "mysql -u user -p -h 114.x.x.x" should work on "client machine" too. – John Siu Dec 14 '12 at 06:51
Too late here, I will check again in 6hrs. – John Siu Dec 14 '12 at 06:56
I was using 3rd party machine, then connect using mysql -u user -p -h 114.x.x.x. I think it's dangling routing because when I do traceroute -I gre1 114.x.x.x, it's going to 192.168.168.1 >> 222.x.x.x.x. instead of going back directly to 114.x.x.x.x. – wew Dec 14 '12 at 09:26
My rules for Q3 only works for mysql traffic as it only do it for 3306. From "client machine", can you try "mysql -u user -p -h 114.x.x.x" and "mysql -u user -p -h 192.168.168.1"? – John Siu Dec 14 '12 at 13:50
Do you have other iptables/firewall rules on the client box? – John Siu Dec 14 '12 at 13:54
Sorry guys, but this comment chain is way past excessive. Please [open a chat room](http://chat.stackexchange.com/rooms/new) if you want to engage in extended discussion. – Chris S Dec 14 '12 at 14:03

How to force certain traffic through GRE tunnel?

1 Answers1