Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

CSF and GRE Tunneling
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

CSF and GRE Tunneling

PrincessOfCatsPrincessOfCats Member
edited January 2015 in Providers

Has anyone successfully setup a GRE tunnel while using CSF firewall?

I did my setup following http://wiki.buyvm.net/doku.php/gre_tunnel with CSF off. Now that I have turned CSF on, I managed to create some rules on the DDOS protected host to get GRE working.

They are as follows (entered in csfpre.sh):

/sbin/iptables -A INPUT -i eth0 -p gre -d [ddosprotectedip] -s [servertobeprotected] -j ACCEPT

/sbin/iptables -A INPUT -i gre1 -j ACCEPT

/sbin/iptables -A FORWARD -i gre1 -j ACCEPT

/sbin/iptables -A FORWARD -d 192.168.168.0/30 -i eth0 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT --to-source [ddosprotectedip]

On the server that I am trying to protect though, things seem to be getting a little dicey.

Using:

/sbin/iptables -A INPUT -i eth0 -p gre -s [ddosprotectedip] -j ACCEPT

/sbin/iptables -A INPUT -i gre1 -j ACCEPT

Seems to block GRE traffic on the tunnel. So far, the only way I have found to get the traffic to pass through is to add the ddos protected ip into /etc/csf/csf.allow.

Comments

  • SplitIceSplitIce Member, Host Rep
    edited January 2015

    White-listing the IP is the correct procedure. Also whitelist any internal IPs. Simple and Effective.

  • PrincessOfCatsPrincessOfCats Member

    @SplitIce said:
    White-listing the IP is the correct procedure. Also whitelist any internal IPs.

    Ah, thanks

    Thought I was doing something wrong when I found that I had to whitelist the IP to get an connection.

  • PrincessOfCatsPrincessOfCats Member
    edited January 2015

    By the way, I am having another issue where the the tunnel stops working until I do some pings across it from the vps that is being protected. Seems like there is no keepalive.

    Anyone have any ideas to fix that, other than doing a cron with a ping?

  • SplitIceSplitIce Member, Host Rep

    GRE is stateless, it has nothing like a keepalive.

  • netomxnetomx Moderator, Veteran

    Question... Is it really a good option to make a tunnel? Isn't it easier a iptables to forward a port?

  • PrincessOfCatsPrincessOfCats Member

    @netomx said:
    Question... Is it really a good option to make a tunnel? Isn't it easier a iptables to forward a port?

    If your doing IP-Banning, or simply wish to have the correct source IP on the remote system, you use GRE. You can easily view this in tcpdump

    Thanked by 1netomx
  • jemaltzjemaltz Member

    @netomx said:
    Question... Is it really a good option to make a tunnel? Isn't it easier a iptables to forward a port?

    I think the issue becomes the destination server's reply. (In the case of tunnels, you do so because you want the reply to go through the tunnel.)

    Thanked by 1netomx
Sign In or Register to comment.