User Tools

Site Tools


gre_tunnel

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
gre_tunnel [2015/01/12 20:41]
El Rooted
gre_tunnel [2016/06/02 00:46] (current)
Francisco Dias
Line 1: Line 1:
 +//[This how-to tutorial was created by BuyVM. Please consider BuyVM for your [[http://​buyvm.net|OpenVZ and KVM VPS]] needs. We offer reliable VPS hosting at affordable rates with features other hosting companies don't have, like Anycast, DDoS filtering, Offloaded MySQL, and Stallion our control panel.]//
 +{{buyvm_logo.png?​300|}}
 +
 ====== Tutorial: GRE tunneling from your BuyVM DDoS Filtered VPS IP ====== ====== Tutorial: GRE tunneling from your BuyVM DDoS Filtered VPS IP ======
  
Line 12: Line 15:
  
 Don't have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to [[redirect_traffic|redirect traffic]] to your remote server. Don't have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to [[redirect_traffic|redirect traffic]] to your remote server.
- +  
- +**Note:** If you are tunneling to an OVH server, you most likely don't have GRE support in your kernel. You'll need to use a  [[ipip_tunnel|IPIP tunnel]] instead. 
 + 
 ==== GRE Tunnel How-to Tutorial Begins Here ===== ==== GRE Tunnel How-to Tutorial Begins Here =====
  
Line 48: Line 51:
 echo '​net.ipv4.ip_forward=1'​ >> /​etc/​sysctl.conf echo '​net.ipv4.ip_forward=1'​ >> /​etc/​sysctl.conf
 sysctl -p sysctl -p
-iptunnel add gre1 mode gre local YOUR_FILTERED_IP ​remote DESTINATION_SERVER_IP ttl 255+iptunnel add gre1 mode gre local YOUR_UNFILTERED_IP ​remote DESTINATION_SERVER_IP ttl 255
 ip addr add 192.168.168.1/​30 dev gre1 ip addr add 192.168.168.1/​30 dev gre1
 ip link set gre1 up ip link set gre1 up
Line 56: Line 59:
  
 <​code>​ <​code>​
-iptunnel add gre1 mode gre local DESTINATION_SERVER_IP remote ​YOUR_FILTERED_IP ​ttl 255+iptunnel add gre1 mode gre local DESTINATION_SERVER_IP remote ​YOUR_UNFILTERED_IP ​ttl 255
 ip addr add 192.168.168.2/​30 dev gre1 ip addr add 192.168.168.2/​30 dev gre1
 ip link set gre1 up ip link set gre1 up
 </​code>​ </​code>​
 +
 +You will always want to form your GRE with your **unfiltered** IP address for all GRE tunnels to make sure you don't run into any sort of MTU issues or trigger the DDOS protection.
  
 Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2. Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2.
Line 90: Line 95:
 On your BuyVM VPS run the following command: On your BuyVM VPS run the following command:
 <​code>​ <​code>​
-iptables -t nat -A POSTROUTING -s 192.168.168.0/​30 -j SNAT --to-source YOUR_FILTERED_IP+iptables -t nat -A POSTROUTING -s 192.168.168.0/​30 ​! -o gre+ -j SNAT --to-source YOUR_FILTERED_IP
 </​code>​ </​code>​
  
Line 108: Line 113:
 ===== Forwarding Ports Over your GRE Tunnel ===== ===== Forwarding Ports Over your GRE Tunnel =====
  
-A common use for filtered GRE tunnels is to protect gaming servers. In this example ​we'​ll ​use ''​port 25565''​ but you can change ​the port to fit your needs.+To make things easier, ​we'​ll ​forward all ports to the backend server. 
 + 
 +Run the following commands on your BuyVM VPS:
  
-Please adjust, and run the following commands on your BuyVM VPS: 
 <​code>​ <​code>​
-iptables -t nat -A PREROUTING ​-p tcp -d YOUR_FILTERED_IP ​--dport 25565 -j DNAT --to-destination 192.168.168.2:25565 +iptables -t nat -A PREROUTING -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2 
-iptables -A FORWARD ​-p tcp -d 192.168.168.2 ​--dport 25565 -m state --state NEW,​ESTABLISHED,​RELATED -j ACCEPT+iptables -A FORWARD -d 192.168.168.2 -m state --state NEW,​ESTABLISHED,​RELATED -j ACCEPT
 </​code>​ </​code>​
 +
 +If you're wanting to get more specific, you could add:
 +
 +<​code>​
 +-p tcp --dport 25565
 +</​code> ​
 +
 +If you just wanted to protect a minecraft server for instance.
  
 The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT'd, and matched back properly. The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT'd, and matched back properly.
gre_tunnel.1421124076.txt.gz · Last modified: 2015/01/12 20:41 by El Rooted