Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


GRE Tunnel every port
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

GRE Tunnel every port

Is there a way to GRE tunnel an IP to a remote server with every port? TCP and UDP

Comments

  • SplitIceSplitIce Member, Host Rep

    Yes,

    If you are using a DDoS protection service this may be called "DMZ" (Or atleast it is in our case).

    You can either NAT everything or forward anything (depending on if you have any other rules for filtering setup that require NAT). Removing the destination port condition will NAT everything.

    You will need a rule for both TCP and UDP. Additionally if this is for DDoS protection be sure to factor in the potential strain on conntrack entries against a random destination port attack.

  • @SplitIce said:

    How do I configure that? I just need to tunnel it from one of my VM to the other and forward everything. Any tutorials?

  • jarjar Patron Provider, Top Host, Veteran
    edited September 2014

    I don't see why more people don't just use xinetd. Maybe GRE is more private (I wouldn't know) but it seems like most people just want to forward traffic. I used this just a bit ago to migrate MXroute, with a DNS change, without interrupting service.

    http://azouhr.wordpress.com/2012/06/21/port-forwarding-with-xinetd/

    Thanked by 1Silvenga
  • I am using it. But how do you modify the NAT to forward all ports?

  • @dnwk said:
    I am using it. But how do you modify the NAT to forward all ports?

    Unfortunately I don't have access to my computer to check, but I guess it would be an IPTables rule.

  • @0xdragon said:
    Unfortunately I don't have access to my computer to check, but I guess it would be an IPTables rule.

    There are IPtable rules on Buyvm's wiki

    iptables -t nat -A PREROUTING -p tcp -d YOUR_FILTERED_IP --dport 25565 -j DNAT --to-destination 192.168.168.2:25565

    iptables -A FORWARD -p tcp -d 192.168.168.2 --dport 25565 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

  • SplitIceSplitIce Member, Host Rep
    edited September 2014

    To follow the instructions given:

    iptables -t nat -A PREROUTING -p tcp -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2
    iptables -A FORWARD -p tcp -d 192.168.168.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
  • If this is a secondary IP, you can do it without involving iptables at all.

    Route anything that hits the IP through the GRE endpoint, done.

  • @SplitIce said:
    To follow the instructions given:

    Do I still need

    iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT --to-source YOUR_FILTERED_IP

  • @Wintereise said:
    If this is a secondary IP, you can do it without involving iptables at all.

    Route anything that hits the IP through the GRE endpoint, done.

    Yes. It is secondary IP! Could you give me route command?

  • WintereiseWintereise Member
    edited September 2014

    dnwk said: Yes. It is secondary IP! Could you give me route command?

    Try reading http://linux-ip.net/html/tools-ip-route.html if this is Linux.

    What you want to do is route traffic to the /30 (or /32) to the IP of the GRE endpoint on the other side (Make sure it works first and is reachable).

    Something like the following essentially (Note that other initialization steps have been skipped, and you need to read up on how it works before trying it. Your tunnel should be initialized through the main IP),

    
    ip route add secondary_IP/32 dev gre(n)
    ip rule add from secondary_IP/32 table 100
    ip route add default via endpoint_IP table 100
    
    

    If you want encryption, look at n2n/ipsec. You may also need to use source routing to make sure traffic goes out the right IP/interface.

    Edit: LET appears to try to parse HTML even inside pre blocks, this is a massively annoying bug, imo.

  • Wintereise said: Edit: LET appears to try to parse HTML even inside pre blocks, this is a massively annoying bug, imo.

    That's not a bug. It's apart of the HTML5 spec. Use code and pre tags together.

    http://www.w3.org/TR/html401/struct/text.html#edef-CODE

    http://www.w3.org/TR/html401/struct/text.html#edef-PRE

    For example, to bold parts of code in markdown: http://stackoverflow.com/questions/10063896/how-do-i-add-markdown-formatting-in-a-code-pre-block

Sign In or Register to comment.