I have a host that has a permanent static GRE tunnel to a server on the Internet. Right now the host has its own real IP address. I want to put the host behind a Linux box (Smoothwall), and assign it a private IP address.
Lets call:
tunnel-server-ip = the IP of the end of the tunnel the host is connecting to (on the internet)
real-ip = the real IP currently used by the host, that I want to assign to the Linux router
false-ip = the IP the host will get after it is put behind the Linux firewall
This is what I think I have to do for the tunnel to work:
- DNAT all incoming IP GRE packets on the external interface coming from the internet tunnel end, and send them to host. That is change the destination from real-ip to false-ip and send the packet to false-ip
- SNAT all incoming IP GRE packets coming on the internal interface coming from the host to appear they are generated by the Linux box and send them to the tunnel server. That is change the source field from false-ip to real-ip and send the packet to tunnel-server-ip
I came up with the following script:
tunnel_server_ip=217.x.x.x
false_ip=192.168.2.2
real_ip=82.x.x.x
/sbin/iptables -A PREROUTING -p 47 --src $tunnel_server_ip -j DNAT --to-destination $false_ip
/sbin/iptables -A POSTROUTING -p 47 --src $false_ip -j SNAT --to-source $real_ip
/sbin/iptables -A INPUT -p 47 -j ACCEPT
Running this results in No chain/target/match by that name.
Could you please tell me what I did wrong? Am I on the right track?
Best Answer
You forgot the
-t nattable switch in the PREROUTING/POSTROUTING instructions. Just add it at the front.