0

So I have a VPS and Dedi server both running Debian 9.9.

139.99.x.x: VPS
139.89.x.x: DEDI

The Dedi server runs a game server but can't be directly accessible, I want to route all traffic through my VPS first (obv to mask the IP of the game server).

I want to do this using a GRE tunnel. So on the dedi I did:

ip tunnel add gre1 mode gre remote 139.99.x.x local 139.89.x.x ttl 255
ip link set gre1 up
ip addr add 10.10.10.1/24 dev gre1

On the VPS:

ip tunnel add gre1 mode gre remote 139.89.x.x local 139.99.x.x ttl 255
ip link set gre1 up
ip addr add 10.10.10.2/24 dev gre1

This works I can ping both ways. I've also enabled ip forwarding in sysctl.conf.

Now I want external traffic hitting the VPS at 139.99.x.x:27015 to go through the tunnel and hit 10.10.0.1:27015 on the DEDI.

So my attempt was this which I got from another question here, on the VPS:

iptables -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 139.99.x.x --dports 27015 -j DNAT --to-destination 10.10.10.1
iptables -t nat -A POSTROUTING -o gre1 -p tcp -m tcp -m multiport -d 10.10.10.1 --dports 27015 -j SNAT --to-source 10.10.10.2

Can anybody provide me with a working example?

Thanks!

Martijn Kools
  • 9
  • 2

2 Answers2

0

I am having this same issue. I can ping between the tunnel locations and the ports show to be open. I continue to not be able to accept inbound traffic from the internet to my Tunnel server. tcpdump -i tun0 is not showing any traffic when I try and ping the IP from my personal computer. I have tried adding any number of iptables and firewalld rules with no avail. Any help would be idea.

Here is the IP tables rule I just added:

iptables -A INPUT -i tun0 -p tcp --dport 25

And port 25 is not responding from an external source: Host is up.

PORT STATE SERVICE 25/tcp filtered smtp

moncapitane
  • 1
  • 1
0

Your setup is correct and all should work. In any issues you should use these steps to troubleshoot problems:

  1. Check the iptables rules counters in the nat table with iptables-save -c -t nat command. Counters of rules should be non-zero. Order of rules is important if you have other rules in the nat table.

  2. If the counters are zero, run the tcpdump to ensure there is incoming traffic.

  3. Also, you should allow the forwarding packets in the firewall. The universal rule to do it: iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT.

  4. Run the tcpdump on the DEDI server (tcpdump -ni gre1) to ensure there is redirected packets from the VPS.

  5. On the VPS you should allow incoming packets: iptables -A INPUT -i gre1 -p tcp --dport 27015.

P.S. Ensure that your game server uses the tcp. Most games use the udp because it's most suitable for gaming.

Anton Danilov
  • 4,874
  • 2
  • 11
  • 20
  • So yes tcp seems to work but my game server can only use UDP. Are you saying UDP is not supported? Also, I have connection tracking disabled on my UDP game server ports. This is because a ddos overloads my CPU and fills up the connection tracking table after which connections are blocked, so I can't afford to enable connection tracking on my game server ports. Or is connection tracking an absolute requirement? Thanks! – Martijn Kools Jun 20 '19 at 18:19
  • I've mentioned `udp` because you specified `tcp` in your iptables rules, and it seemed suspicious. The conntrack is required to use `DNAT` and `SNAT`. – Anton Danilov Jun 20 '19 at 19:58
  • Instead disabling conntrack for UDP gaming ports try to increase conntrack table size - it should be decrease cpu load. – Anton Danilov Jun 21 '19 at 06:47