0

I have two hosts which need to have a GRE tunnel between them. In between the two I have a relay host which needs to perform NAT and forward the GRE traffic in either direction.

grehostA --- natrelayhost --- grehostB

All hosts run Debian. To keep the explanation simple I will limit myself to the traffic going from grehostA to grehostB and not worry about the return traffic. We are looking at the iptables configuration for natrelayhost:

-t nat -A PREROUTING -p gre -s grehostA -d natrelayhost -j LOG --log-prefix "[netfilter] GRE-PRE: "
-t nat -A PREROUTING -p gre -s grehostA -d natrelayhost -j DNAT --to-destination grehostB

-t nat -A POSTROUTING -p gre -j LOG --log-prefix "[netfilter] GRE-POST: "
-t nat -A POSTROUTING -p gre ! -s natrelayhost -j MASQUERADE

-A FORWARD -p gre -j LOG --log-prefix "[netfilter] GRE-FWD: "
-A FORWARD -p gre -J ACCEPT

I also have INPUT rules for debugging, though I don't think I need those:

-A INPUT -p gre -j LOG --log-prefix "[netfilter] GRE-IN: "
-A INPUT -p gre -j ACCEPT

And of course, sysctl -w net.ipv4.ip_forward=1.

I have the following kernel modules loaded:

modprobe nf_conntrack_proto_gre
modprobe nf_nat_proto_gre

And also a few other kernel modules which I don't think I need but decided to try anyway:

modprobe ip_gre
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp

The problem:

When traffic is sent from grehostA I get the GRE-PRE log messages, showing that the DNAT rule is performed. But I don't get any of the GRE-POST/GRE-FWD/GRE-IN log messages, even though the POSTROUTING/FORWARD/INPUT chains are set up to log and pass all GRE traffic. It appears none ever passes through them. After the DNAT I would expect to see packets here.

I have tried adding the rules at the top of their respective chains to make sure no other rules are accepting or rejecting the traffic first but it makes no difference.

Please keep in mind that I will add further source/destination host checks to the rules to prevent unauthorized access, once I actually get it to work.

EDIT: Fixed by adding a host route on natrelayhost to grehostB. Thank you Tomek!

Rapsey
  • 295
  • 3
  • 10
  • 1
    Do you have a route which covers grehostB on natrelayhost? You can also consider using TRACE target in raw table to see the path gre packets are taking through iptables. – Tomek Apr 19 '19 at 19:32
  • I did not have a specific route because natrelayhost can reach grehostB via its default gateway. However it is actually not necessary to route through a gateway since the two are on the same physical machine. I added a host route which sends it to the shared network bridge directly (without a gateway) and suddenly it works. Thank you!!! Since natrelayhost was able to reach grehostB via the gateway all along I would've never figured out that it was a routing problem. Also big thanks for suggesting TRACE. I tried it and before the host route fix the trace would end right after the DNAT rule. – Rapsey Apr 19 '19 at 21:05
  • I am glad you worked it out, especially that my tries with nftables failed. But I am on pretty old kernel so I'll just leave it there. – Tomek Apr 19 '19 at 21:08

0 Answers0