0

I've created a GRE tunnel on my Linux server (VPS, OpenVZ). Server gets a public IP address from this tunnel and I need it be accessible from Internet through it.

There is already a default gateway, which is on hosting provider's network. I can't change or remove it otherwise will lost access to the server.

Using a MikroTik router I would mark incoming connections on GRE tunnel (INPUT chain) and then set a routing mark for marked connections. Later I would just add a route for the routing mark to 0.0.0.0/0 with gateway being IP address of other end on the tunnel.

However, I can't get the same behavior using iptables and iproute2 on Linux. This is what I've already done, based on other questions here on Server Fault:

iptables -t mangle -A INPUT -j CONNMARK --restore-mark
iptables -t mangle -A INPUT -i gre1 -j MARK --set-mark 100
iptables -t mangle -A INPUT -j CONNMARK --save-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

ip rule add from all fwmark 100 lookup gre_route
ip route add default via 198.51.100.53 table gre_route

gre_route table has been properly created on /etc/iproute2/rt_tables.

gre1is the interface of GRE tunnel. Server IP is 198.51.100.54 and other end has IP 198.51.100.53 (example address).

What's wrong? Why not working? I can ping server from remote tunnel end, and vice versa, but can't ping server IP address on tunnel from Internet (network-tools.com). Pubic IP address block used in GRE tunnel is being rightly routed to me by my ISP.

What about it?

Thanks in advance. Bye.

Edit: as requested, here is the output of some commands:

ip link show:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/void 
3: gre0: <NOARP> mtu 1476 qdisc noop state DOWN mode DEFAULT 
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0: <BROADCAST,MULTICAST> mtu 1476 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: zeoip0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 500
    link/ether ab:cd:ef:12:34:56 brd ff:ff:ff:ff:ff:ff

ip route show:

198.51.100.52/30 dev zeoip0  proto kernel  scope link  src 198.51.100.54 
169.254.0.0/16 dev venet0  scope link  metric 1002 
default dev venet0  scope link

ip rule show:

0:  from all lookup local 
32765:  from all fwmark 0xbcb lookup eoip_rb 
32766:  from all lookup main 
32767:  from all lookup default

I renamed table gre_route to eoip_rb after changed from pure GRE to EoIP.

ip route show table eoip_rb:

default via 198.51.100.53 dev zeoip0

zeoip0 is an EoIP interface (MikroTik proprietary, works over GRE). I've changed to EoIP to test if it was a problem with ARP tables on my router (GRE hasn't ARP, EoIP does), but same problem occurs.

Tiago.SR
  • 101
  • 3
  • Can you post the output of `ip link show` and `ip route show`? – pepoluan Jan 09 '15 at 10:41
  • I edited question with requested informations and some other more. – Tiago.SR Jan 09 '15 at 23:35
  • Possible duplicate of http://unix.stackexchange.com/a/23345/39923 Coming from the MikroTik world myself I would choose your approach as well, but there is a way to do this without iptables and packet marking. – Cha0s Jan 10 '15 at 00:41
  • Hm. I didn't seen that question. I'll try it later and post here the results. – Tiago.SR Jan 10 '15 at 04:23

0 Answers0