The experience of setting up GRE Tunneling

Discussion in 'Mail Chat' started by mrlucky123, Jan 28, 2014.

  1. mrlucky123

    mrlucky123 Member

    Joined:
    May 4, 2012
    Messages:
    182
    Likes Received:
    7
    Trophy Points:
    18
    First of all, I would like to give thanks to nickphx and noobking for helping me out while I'm setting up the GRE Tunnel, also the previous thread of red about GRE Tunnel.

    This is what I have learned while setting up GRE on centos.

    Make sure on Master
    -Turn off iptables
    -Turn off rp.filter (all of them)
    -Turn on ip_forward
    -Turn on proxy_arp (all of them)
    -Make sure the private ip of master is a /30 and on the same subnet with slave (my case is I always use 10.0.1.1/30)
    -In case you have multiple ethernet ports (eth0 or eth1), you must always set the slave's IPs on the eth port that is active (you can always check which port is active by enter "service network status")
    -Make sure you have added the slave's ip with /32 each (ie 5.6.7.8/32 , 5.6.7.9/32 , 5.6.7.10/32, etc)

    Make sure on Slave
    -Turn off iptables
    -Turn off rp.filter(all of them)
    -Turn on ip_forward
    -Turn on proxy_apr (all of them)
    -Make sure the subnet of the private IP on slave is the same subnet with master (I use 10.0.1.2/30)
    -make sure you have removed the slave's ip that you are adding to master.

    You can use each server to ping the private ip of the other server to test if the connection between the two have been made (this doesn't mean the public IPs of slave have been set correctly on master though).

    That's all I have learned so far, if any pro see anything that's missing, please jump in and help.

    Thanks
     
  2. docbrown

    docbrown Member

    Joined:
    Jan 4, 2013
    Messages:
    60
    Likes Received:
    14
    Trophy Points:
    8
    Turning off iptables is really not a good idea. You can run tunnels just fine with ipables ON and the appropriate rules.
     
  3. Daansen

    Daansen Member

    Joined:
    Aug 14, 2011
    Messages:
    84
    Likes Received:
    16
    Trophy Points:
    8
    Really? Could you share these settings?
     
  4. mrlucky123

    mrlucky123 Member

    Joined:
    May 4, 2012
    Messages:
    182
    Likes Received:
    7
    Trophy Points:
    18
    hahaha I know what you mean. I do have those in place with the production server, but for the purpose while I was learning to do it, I just disabled the firewall to make it easier for me.
     
  5. nickphx

    nickphx VIP

    Joined:
    Apr 2, 2011
    Messages:
    1,139
    Likes Received:
    363
    Trophy Points:
    83
    Gender:
    Male
    Location:
    guadalajara, chiuhuahua
    Why's that? Having iptables enabled on a server that's doing nothing more than tunneling traffic is just another layer of complexity,wasted cpu time and memory usage for connection tracking tables. With a properly configured server one does not need iptables..
     
  6. docbrown

    docbrown Member

    Joined:
    Jan 4, 2013
    Messages:
    60
    Likes Received:
    14
    Trophy Points:
    8
    Assumed his server was doing more than tunnelling...
     
  7. mrlucky123

    mrlucky123 Member

    Joined:
    May 4, 2012
    Messages:
    182
    Likes Received:
    7
    Trophy Points:
    18
    Not sure what you mean doing more than tunneling.
     
  8. docbrown

    docbrown Member

    Joined:
    Jan 4, 2013
    Messages:
    60
    Likes Received:
    14
    Trophy Points:
    8
    Running other services.
     
  9. mrlucky123

    mrlucky123 Member

    Joined:
    May 4, 2012
    Messages:
    182
    Likes Received:
    7
    Trophy Points:
    18
    Nahhh just tunneling.
     
  10. oshonikh

    oshonikh New Member

    Joined:
    Sep 10, 2013
    Messages:
    14
    Likes Received:
    1
    Trophy Points:
    3
    I agree with docbron.. It is better to use rule then turnoff..

    I think it is better to allow all incoming traffic between both tunnelled servers... May be like this.

    On master server...
    #iptables -A INPUT -s Slave_Server_IP -j ACCEPT

    On Slave Server...
    #iptables -A INPUT -s Master_Server_IP -j ACCEPT

    Put this rule on the top in rule list... This will allow all the incoming traffic from specific server...
     
  11. nickphx

    nickphx VIP

    Joined:
    Apr 2, 2011
    Messages:
    1,139
    Likes Received:
    363
    Trophy Points:
    83
    Gender:
    Male
    Location:
    guadalajara, chiuhuahua
    No. iptables is a useless piece of shit and relying on it for "security" is stupid. The rules you posted will not work and don't even begin to cover what is needed to allow tunneled traffic to pass.

    The "slave server" sends traffic to the remote hosts using the tunneled IP as the source address. This causes the ACK from the remote hosts to be sent to the tunnel server.. The tunnel server, following the configuration to 'route' the ips to the tunnel, will then forward the traffic over the tunnel to the slave. So having the rule to allow traffic FROM the slave won't cover it. If the iptables rules contain anything related to connection tracking, the traffic will be dropped because the firewall session tracking will have no record of the session as the session did not originate from the machine.

    iptables is a waste of resources and only adds an additional layer of complexity. A properly configured machine with recent updates and minimal services will run more efficiently and be much easier to maintain. But do whatever you want, if you enjoy wasting time troubleshooting shit caused by iptables more power to you.
     
  12. mrlucky123

    mrlucky123 Member

    Joined:
    May 4, 2012
    Messages:
    182
    Likes Received:
    7
    Trophy Points:
    18
    I have been testing tunneling last couple of days, and as nickphx said, I wouldn't agree more. Iptables has caused a bunch of problems to my master server because it couldn't connect to the slaves for God knows what reason and I had to manually login to the server to turn it off, so I have set the auto start up file to always disable iptables and set the watchers of my system to monitor the iptables to turn it off automatically every 45 minutes. As far as security concern, me and my guy are working on a close off security system that's as tight as a federal prison lol.
     
  13. guidito

    guidito VIP

    Joined:
    Mar 25, 2014
    Messages:
    57
    Likes Received:
    8
    Trophy Points:
    8
    Gender:
    Male
    Location:
    Buenos Aires, Argentina
    lol if you knew how to set up iptables you'd find out it's easy. GRE is IP protocol #4.
    btw gre only works with dedis you can't use openvz. there is anoher way that's much better.
     
  14. PushSend

    PushSend VIP

    Joined:
    Apr 12, 2011
    Messages:
    1,927
    Likes Received:
    141
    Trophy Points:
    63
    Location:
    Paradise
    You couldn't be any more wrong; you come in and lol @ someone then drop this ignorant tidbit of useless info in your first post....ya, buddy - you'll be fun to troll :thefinger:
     
  15. guidito

    guidito VIP

    Joined:
    Mar 25, 2014
    Messages:
    57
    Likes Received:
    8
    Trophy Points:
    8
    Gender:
    Male
    Location:
    Buenos Aires, Argentina
    yeah whatever it works for XEN and KVM, but again it doens't work for openvz
     
  16. guidito

    guidito VIP

    Joined:
    Mar 25, 2014
    Messages:
    57
    Likes Received:
    8
    Trophy Points:
    8
    Gender:
    Male
    Location:
    Buenos Aires, Argentina
    you're right #4 is IPIP, #47 is GRE. also kvm and xen work with GRE, but still most providers use openvz and gre doesn't work there. I shoulnd' post after 1AM lol
     
  17. nickphx

    nickphx VIP

    Joined:
    Apr 2, 2011
    Messages:
    1,139
    Likes Received:
    363
    Trophy Points:
    83
    Gender:
    Male
    Location:
    guadalajara, chiuhuahua
    gre can work on openvz regardless of tun/tap/gre module support. it's so easy a caveman could do it.
     
  18. nymailer

    nymailer VIP

    Joined:
    Feb 28, 2011
    Messages:
    200
    Likes Received:
    23
    Trophy Points:
    28
    Please elaborate, do you have to make some type of controller for openvz?
     
  19. guidito

    guidito VIP

    Joined:
    Mar 25, 2014
    Messages:
    57
    Likes Received:
    8
    Trophy Points:
    8
    Gender:
    Male
    Location:
    Buenos Aires, Argentina
    you can't install GRE on openvz if it's disabled by the provider.. the host blocks loading kernel modules on containers. and tun/tap is not the same as gre
     
  20. nickphx

    nickphx VIP

    Joined:
    Apr 2, 2011
    Messages:
    1,139
    Likes Received:
    363
    Trophy Points:
    83
    Gender:
    Male
    Location:
    guadalajara, chiuhuahua
    I am aware that a tun/tap device is not the same as a gre tunnel. However, the tun module is required to create the gre tunnel. So without the tun device you can not create a gre tunnel. But I'm sure you already knew that.

    I have developed a program that creates a gre tunnel without requiring the tun or gre modules. It works regardless of the host's settings. The tunnel will only fail if the host network does SPI, which I'm sure you already know all about so I will save the explanation.
     

Share This Page