For the past week I've been attempting to protect a server from DOS attacks by utilizing a GRE tunnel from a VPS to a dedicated machine without much success.
Visual:
User --> VPS --> Dedicated Server
I've followed several guides BUYVM and Minecraft DDOS Protection and modified it as needed.
What I've done so far:
On both machines the following kernel modules are loaded
ip_gre
ip_nat_pptp
ip_conntrack_pptp
Additionally ipv4 port forwarding is enabled on both machines.
Setting up GRE on the dedicated machine:
ip tunnel add veridian mode gre remote VPS_EXTERN_IP local DEDICATED_EXTERN_IP ttl 255
ip link set veridian up
ip addr add 10.10.10.1/24 dev veridian
This produces the interface:
veridian Link encap:UNSPEC HWaddr 3F-8D-F2-FA-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.1 P-t-P:10.10.10.1 Mask:255.255.255.0
inet6 addr: fe80::200:5efe:3f8d:f2fa/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
RX packets:4016 errors:0 dropped:0 overruns:0 frame:0
TX packets:3970 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:338404 (338.4 KB) TX bytes:359357 (359.3 KB)
Setting up GRE on the VPS
ip tunnel add gre1 mode gre remote DEDICATED_EXTERN_IP local VPS_EXTERN_IP ttl 255
ip link set gre1 up
ip addr add 10.10.10.2/24 dev gre1
This produces the interface:
gre1 Link encap:UNSPEC HWaddr 68-83-98-C8-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.2 P-t-P:10.10.10.2 Mask:255.255.255.0
inet6 addr: fe80::200:5efe:6883:98c8/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
RX packets:3743 errors:0 dropped:0 overruns:0 frame:0
TX packets:3811 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:314188 (314.1 KB) TX bytes:335587 (335.5 KB)
Adding the VPS interface IP to the Source Route Table on the Dedicated Server:
echo '100 VERIDIAN' >> /etc/iproute2/rt_tables
ip rule add from 10.10.10.0/24 table VERIDIAN
ip route add default via 10.10.10.2 table VERIDIAN
What Works
From here I can ping the Dedicated Server from the VPS successfully
ping 10.10.10.1
and vice versa
ping 10.10.10.2
Additionally when I setup the NAT entry on the VPS
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j SNAT --to-source VPS_EXTERN_IP
I can successfully retrieve the external IP of the VPS from the Dedicated Server by running:
curl http://www.cpanel.net/showip.cgi --interface 10.10.10.1
What Doesn't Work - Port Forwarding
On the VPS I now run:
iptables -t nat -A PREROUTING -p tcp -d VPS_EXTERN_IP --dport 25565 -j DNAT --to-destination 10.10.10.1:25565
iptables -A FORWARD -p tcp -d 10.10.10.1 --dport 25565 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I now attempt to connect to the gaming server through the VPS's external IP address without any success.
I've been fighting with this for over a week any help would be much appreciated.
Update
Everything above is correct.
A bit more debugging and I found that the wrapper daemon (Multicraft) for the game server blocks localhost connections when the external ip is set for the game instance.
The solution is to set the IP to 0.0.0.0 and the port forwarding works perfectly.