10 月 182013
 

原文(source): GRE tunnelling your filtered IP

Much like a proxy, a GRE tunnel allows you to pass traffic from your BuyVM VPS to another destination and provide it filtering.

GRE tunnels, though, will pass any traffic that's let through, not just HTTP.

This technique is very handy when you're wishing to use our filtering services to protect gameservers too large to host with us elsewhere.

Don't have root access over your destination server or running some huge Windows deployment? Check out how to redirect traffic.

Supported Operating Systems

While it's possible to use Windows to create and forward your GRE tunnel, we'll only be covering using Linux. This guide will work 100% on both our KVM and OpenVZ based plans.

We recommend if you need to protect a Windows server to consider purchasing a KVM plan.

Prerequisites

  • iptables installed on your BuyVM VPS (included already in most cases)
  • iproute2 (included with pretty much every recent linux distribution)
  • A kernel with GRE support (Linux includes this by default)
  • A list of ports you need forwarded to your destination
  • A BuyVM filtered IP ($3.00/m per IP. 209.141.38.x & 209.141.39.x are the current filtered subnets)

Setup

First and for most we need our tunnel to be setup.

On your BuyVM VPS please execute the following commands:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
iptunnel add gre1 mode gre local YOUR_FILTERED_IP remote DESTINATION_SERVER_IP ttl 255
ip addr add 192.168.168.1/30 dev gre1
ip link set gre1 up

On the server you wish to protect:

iptunnel add gre1 mode gre local DESTINATION_SERVER_IP remote YOUR_FILTERED_IP ttl 255
ip addr add 192.168.168.2/30 dev gre1
ip link set gre1 up

Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2.

Test the tunnel

On your BuyVM VPS, you should now be able to ping 192.168.168.2.

For the sake of completeness, test pinging 192.168.168.1 from your destination server.

Setup source route tables

Source route entries are required to make sure data that came in via the GRE tunnel is sent back out the GRE tunnel.

Please execute the following commands on the destination server.

echo '100 BUYVM' >> /etc/iproute2/rt_tables
ip rule add from 192.168.168.0/30 table BUYVM
ip route add default via 192.168.168.1 table BUYVM

Please note that the echo is only needed to be run once. The entry will be saved into that file until you edit it out by hand.

Initial NAT entries

NAT is used to pass data over our GRE and out the other end. While it would be possible to use a KVM based VPS with a purchased /29 allocation, this guide doesn't cover that.

On your BuyVM VPS run the following command.

iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT --to-source YOUR_FILTERED_IP

Test outbound connections

On your destination server you can run either of the following commands to see if the tunnel is passing traffic properly

curl http://www.cpanel.net/showip.cgi --interface 192.168.168.2
wget http://www.cpanel.net/showip.cgi --bind-address=192.168.168.2 -q -O -

The IP dumped should be your BuyVM filtered IP.

Forwarding ports

A common use for filtered GRE tunnels is to protect gaming servers. In this example we'll use port 25565 but you can update it to fit whatever you wish

Please adjust and run the following commands on your BuyVM VPS.

iptables -t nat -A PREROUTING -p tcp -d YOUR_FILTERED_IP --dport 25565 -j DNAT --to-destination 192.168.168.2:25565
iptables -A FORWARD -p tcp -d 192.168.168.2 --dport 25565 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

The first rule sets up the actual port forwarding where as the 2nd rule makes sure that connections get NAT'd and matched back properly.

At this point you should be able to connect to YOUR_FILTERED_IP and the destination port with the application in question and get passed through without issue.

Auto initializing on reboot

You can edit /etc/rc.local with your favourite editor of choice (or WINSCP even) and place all the commands we just ran before the exit 0 at the bottom.

Your distribution of choice (like debian) may have hooks in /etc/network/interfaces to bring your GRE tunnels on boot time but that's outside the scope of this guide.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

CAPTCHA Image
Play CAPTCHA Audio
Reload Image