3

I have two Linux servers. I want to use a GRE tunnel to route all internet traffic from ClientBox through a tunnel to GatewayBox, so that, to the rest of the internet, my ClientBox appears to be GatewayBox, and so that I can use GatewayBox's external IP for all of ClientBox's internet use. I have set up a GRE tunnel up between them (a proxy would not work for my specific needs).

My GRE tunnel works! I can ping both ends.

Now I need to configure GatewayBox to actually route those incoming connections from ClientBox to the internet and back to ClientBox. So I ran the following script:

#! /bin/bash

IPTABLES=/sbin/iptables

WANIF='ens3' # servers from this company use ens3 instead of eth0, it seems
LANIF='gre1' # both boxes have the gre tunnel set up as gre1

# enable ip forwarding in the kernel
echo 'Enabling Kernel IP forwarding...'
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains
echo 'Flushing rules and deleting existing chains...'
$IPTABLES -F
$IPTABLES -X

# enable masquerading to allow LAN internet access
echo 'Enabling IP Masquerading and other rules...'
$IPTABLES -t nat -A POSTROUTING -o $LANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $WANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -j ACCEPT

echo 'Done.'

Then on ClientBox, I execute:

$ curl whatismyip.com --interface gre1

and I can see the FORWARD packet and the POSTROUTING packet counts increasing on GatewayBox. But curl on ClientBox never receives a response and eventually times out.

So either the traffic is not routing back successfully between the two boxes, or it's never making it to the internet at all. To see which is the case, I set up a sample test server and a PHP file that writes to a file if it gets any hits/traffic. It doesn't write anything when I try the curl command from ClientBox. But when I test it from my laptop, it acknowledges the hit/traffic.

So the traffic is never getting to the internet.

Here is the configuration of GatewayBox: (scroll down)

# ip address

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 56:00:02:2f:e2:ce brd ff:ff:ff:ff:ff:ff
    inet 95.179.179.240/23 brd 95.179.179.255 scope global dynamic ens3
       valid_lft 79871sec preferred_lft 79871sec
    inet6 fe80::5400:2ff:fe2f:e2ce/64 scope link
       valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 95.179.179.240 peer 155.138.239.111
    inet 10.10.10.2/24 scope global gre1
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5efe:5fb3:b3f0/64 scope link
       valid_lft forever preferred_lft forever



# ip route show

default via 95.179.178.1 dev ens3 proto dhcp metric 100
10.10.10.0/24 dev gre1 proto kernel scope link src 10.10.10.2
95.179.178.0/23 dev ens3 proto kernel scope link src 95.179.179.240
155.138.239.111 dev ens3 scope link
169.254.169.254 via 95.179.178.1 dev ens3 proto dhcp metric 100



# curl ipinfo.io --interface ens3

{
  "ip": "95.179.179.240",
  "hostname": "95.179.179.240.vultr.com",
  "city": "Haarlem",
  "region": "North Holland",
  "country": "NL",
  "loc": "52.3902,4.6568",
  "org": "AS20473 Choopa, LLC",
  "postal": "2031",
  "timezone": "Europe/Amsterdam",
  "readme": "https://ipinfo.io/missingauth"
}



# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



# iptables -L -t nat

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere

Any idea how I can get this working?

tabdiukov
  • 111
  • 4
socksilly
  • 31
  • 1

0 Answers0