GRE tunnel

Prerequisites

  • iptables installed on your VPS (included already in most cases)
  • iproute2 (included with pretty much every recent Linux distribution)
  • A kernel with GRE support (Linux includes this by default - ip_gre kernel module)
  • A list of ports you need forwarded to your destination
  • A VPS at our location Romania to have ddos protection

Tunnel Setup

First we need to set our tunnel up.

On your FlokiNET VPS please execute the following commands:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
iptunnel add gre1 mode gre local YOUR_FILTERED_IP remote DESTINATION_SERVER_IP ttl 255
ip addr add 192.168.168.1/30 dev gre1
ip link set gre1 up

On the remote server you wish to protect run the following:

iptunnel add gre1 mode gre local DESTINATION_SERVER_IP remote YOUR_FILTERED_IP ttl 255
ip addr add 192.168.168.2/30 dev gre1
ip link set gre1 up

Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2.

Test your New GRE Tunnel with Ping

On your FlokiNET VPS, you should now be able to ping 192.168.168.2.

For the sake of completeness, test pinging 192.168.168.1 from your destination server.

Setup Source Route Tables

Source route entries are required to make sure data that came in via the GRE tunnel is sent back out the GRE tunnel.

Please execute the following commands on the destination server.

echo '100 BUYVM' >> /etc/iproute2/rt_tables
ip rule add from 192.168.168.0/30 table BUYVM
ip route add default via 192.168.168.1 table BUYVM

Please note that the echo command only needs to be ran once. The entry will be saved into /etc/iproute2/rt_tables until you remove it manually.

Initial NAT Entries to Move Data over GRE Tunnel

NAT is used to pass data over our GRE and out the other end.

On your FlokiNET VPS run the following command:

iptables -t nat -A POSTROUTING -s 192.168.168.0/30 ! -o gre+ -j SNAT --to-source YOUR_FILTERED_IP

Test Outbound Connections

On your destination server you can run either of the following commands to see if the tunnel is passing traffic properly:

curl http://www.cpanel.net/showip.cgi --interface 192.168.168.2
wget http://www.cpanel.net/showip.cgi --bind-address=192.168.168.2 -q -O -

The IP dumped should be your VPS filtered IP.

Forwarding Ports Over your GRE Tunnel

To make things easier, we'll forward all ports to the backend server.

Run the following commands on your FlokiNET VPS:

iptables -t nat -A PREROUTING -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

If you're wanting to get more specific, you could add:

-p tcp --dport 25565

If you just wanted to protect a minecraft server for instance.

The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT'd, and matched back properly.

At this point you should be able to connect to YOUR_FILTERED_IP and the destination port with your application and get passed through the GRE tunnel without issue.

Restarting your GRE Tunnel After Rebooting

You can edit /etc/rc.local with your favourite editor of choice (or WINSCP even) and place all the commands we just ran before the exit 0 at the bottom.

Your distribution of choice (like Debian) may have hooks in /etc/network/interfaces to bring your GRE tunnels up at boot time but that's outside the scope of this guide.

  • 5 Benutzer fanden dies hilfreich
War diese Antwort hilfreich?

Verwandte Artikel

Improve CSF with ipset

Servers running iptables with CSF firewall can become slow while processing the sometimes...

Anti DDoS server settings

You can tune your server to avoid slowdown during an attack.We recommend to set this only if you...

Cloudflare

Be advised that you can't use Cloudflare and our ddos filter together so we recommend not to use...

Invalid SSL cert

During an ddos attack you might notice an invalid SSL cert. This happens as the L7 filter changes...

Anti-DDoS Filter settings

If you see this error:502 - BAD GATEWAYAnti-DDoS Filter cannot connect to protected host.Most...