Linux – Gre Tunnel Cisco Linux traffic forwarding

ciscogreiptableslinuxtunneling

I setup a gre tunnel a cisco router and a Linux machine, the tunnel interface in the Linux box named pic.
Well i have to forward traffic coming from cisco through the Linux box.
the rules i've set in the Linux box is described as follow:


echo "1" > /proc/sys/net/ipv4/ip_forward
iptables  -A INPUT -p 47 -j ACCEPT
iptables  -A FORWARD -i ppp0 -j ACCEPT
iptables  -A FORWARD -i pic  -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables  -A FORWARD -i ppp0 -o pic -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables  -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

I see the traffic coming from tunnel and forwarded to internet but no reply from sent packet.

May i miss something like a routing rule.

Best Answer

Assuming that you don't have any rules in the firewall, and the default policy for INPUT, OUTPUT and FORWARD chains is ACCEPT, then you only need the line that enables ip forwarding and the MASQUERADE and it should work.

If you already have rules in the firewall, then post them here with iptables --list -v -n and iptables -t nat --list -v -n so we can understand the entire setup.

In a nutshell, you should:

enable ip forwarding (as you did with the first line)
enable SNAT or MASQUERADING (as you did with the last line)
allow the gre protocol in the INPUT chain
allow NEW connections from pic to ppp0 in the FORWARD chain
allow RELATED,ESTABLISHED connections from ppp0 to pic in the FORWARD chain

Related Solutions

Linux – Source nating into GRE tunnel

If I read your question correctly, you want port 80 traffic to go down your tunnel. This isn't done with SNAT, but with policy routing.

First we need to set up a new routing table:

# echo "2  tunnel" >> /etc/iproute2/rt_tables

Next we need to set up the routing table to send all traffic via the tunnel:

# ip route add default via 172.16.1.2 dev gre1 table tunnel

Now we need to make some traffic use that routing table rather than the default routing table. This is done by marking the packets and then adding a rule to use the specified table for those marked packets:

# iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --mark 200
# ip rule add fwmark 200 table tunnel

Replace OUTPUT with FORWARD if you want traffic being forwarded being sent down the tunnel. This only works for locally generated traffic with OUTPUT.

You can find more information in the Linux Advanced Routing and Traffic Control (LARTC) guide.

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Best Answer

Related Solutions

Linux – Source nating into GRE tunnel

Linux – iptables port forward forwarding

Related Topic