Multicraft: Port Forwarding through a GRE Tunnel

Question

For the past week I've been attempting to protect a server from DOS attacks by utilizing a GRE tunnel from a VPS to a dedicated machine without much success.

Visual:

User --> VPS --> Dedicated Server

I've followed several guides BUYVM and Minecraft DDOS Protection and modified it as needed.

What I've done so far:

On both machines the following kernel modules are loaded

ip_gre
ip_nat_pptp
ip_conntrack_pptp

Additionally ipv4 port forwarding is enabled on both machines.

Setting up GRE on the dedicated machine:

ip tunnel add veridian mode gre remote VPS_EXTERN_IP local DEDICATED_EXTERN_IP ttl 255
ip link set veridian up
ip addr add 10.10.10.1/24 dev veridian

This produces the interface:

veridian  Link encap:UNSPEC  HWaddr 3F-8D-F2-FA-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.10.10.1  P-t-P:10.10.10.1  Mask:255.255.255.0
          inet6 addr: fe80::200:5efe:3f8d:f2fa/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
          RX packets:4016 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3970 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:338404 (338.4 KB)  TX bytes:359357 (359.3 KB)

Setting up GRE on the VPS

ip tunnel add gre1 mode gre remote DEDICATED_EXTERN_IP local VPS_EXTERN_IP ttl 255
ip link set gre1 up
ip addr add 10.10.10.2/24 dev gre1

This produces the interface:

gre1      Link encap:UNSPEC  HWaddr 68-83-98-C8-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.10.10.2  P-t-P:10.10.10.2  Mask:255.255.255.0
          inet6 addr: fe80::200:5efe:6883:98c8/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1
          RX packets:3743 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3811 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:314188 (314.1 KB)  TX bytes:335587 (335.5 KB)

Adding the VPS interface IP to the Source Route Table on the Dedicated Server:

echo '100 VERIDIAN' >> /etc/iproute2/rt_tables
ip rule add from 10.10.10.0/24 table VERIDIAN
ip route add default via 10.10.10.2 table VERIDIAN

What Works

From here I can ping the Dedicated Server from the VPS successfully

ping 10.10.10.1

and vice versa

ping 10.10.10.2

Additionally when I setup the NAT entry on the VPS

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j SNAT --to-source VPS_EXTERN_IP

I can successfully retrieve the external IP of the VPS from the Dedicated Server by running:

curl http://www.cpanel.net/showip.cgi --interface 10.10.10.1

What Doesn't Work - Port Forwarding

On the VPS I now run:

iptables -t nat -A PREROUTING -p tcp -d VPS_EXTERN_IP --dport 25565 -j DNAT --to-destination 10.10.10.1:25565

iptables -A FORWARD -p tcp -d 10.10.10.1 --dport 25565 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

I now attempt to connect to the gaming server through the VPS's external IP address without any success.

I've been fighting with this for over a week any help would be much appreciated.

Update

Everything above is correct.

A bit more debugging and I found that the wrapper daemon (Multicraft) for the game server blocks localhost connections when the external ip is set for the game instance.

The solution is to set the IP to 0.0.0.0 and the port forwarding works perfectly.

Answer 1

As I don't see it in your shown documentation, I'm going to assume you forgot to enable IP forwarding.

Run the following command to verify that this is indeed the case:

sysctl net.ipv4.ip_forward

If IP forwarding is indeed disabled you should see:

net.ipv4.ip_forward = 0

If this is your problem, run:

sysctl -w net.ipv4.ip_forward=1

Possibly your problem is with the ports not being open / firewalls blocking the ports.
You can easily test this from your VPS to your dedicated machine using nmap:

nmap -A 10.10.10.2/24 -p 25565

And from your client machine to your externally accessible machine in the same way, but replace 10.10.10.2 with your VPS external address.