0

I have an application that suffers from ddos. So we put it behind a filter that works on the basis of GRE.

The filter works fine, but the application has a subapplication that answers to other ports and ends up answering to a different IP as well (in this case, the server's default IP).

Is there any way that I can route outbound traffic from a particular port to the GRE IP?

I tried this but was not successful, the traffic is not yet routed through the gre:

iptables -t nat -A POSTROUTING -o eth0 -p udp -j SNAT --to-source 192.168.168.2

192.168.168.2 is the server ip on the GRE. The packet is still being sent by the public IP and not through the tunnel gre.

Joabe Meirelles
  • 1
  • You may use mangle to mark you packets and then route them how ever you want. – Zareh Kasparian Jun 15 '22 at 19:32
  • route = requires tools about routing. iptables doesn't route and can only be used sometimes to affect route (as said: with marks, or with nat). You're in a multi-homed environment, which specifically affects UDP-based services. They have to be configured (either at config level or in code) specifically to avoid choosing the wrong UDP source to reply from. either by never binding to 0.0.0.0 (eg: bind 9 DNS server) or by using IP_PKTINFO (eg: unbound DNS server). – A.B Jun 16 '22 at 10:22
  • I solved this by changing the application's source code to choose the correct interface. – Joabe Meirelles Jun 16 '22 at 20:07

0 Answers0