First of all, I would like to give thanks to nickphx and noobking for helping me out while I'm setting up the GRE Tunnel, also the previous thread of red about GRE Tunnel. This is what I have learned while setting up GRE on centos. Make sure on Master -Turn off iptables -Turn off rp.filter (all of them) -Turn on ip_forward -Turn on proxy_arp (all of them) -Make sure the private ip of master is a /30 and on the same subnet with slave (my case is I always use 10.0.1.1/30) -In case you have multiple ethernet ports (eth0 or eth1), you must always set the slave's IPs on the eth port that is active (you can always check which port is active by enter "service network status") -Make sure you have added the slave's ip with /32 each (ie 5.6.7.8/32 , 5.6.7.9/32 , 5.6.7.10/32, etc) Make sure on Slave -Turn off iptables -Turn off rp.filter(all of them) -Turn on ip_forward -Turn on proxy_apr (all of them) -Make sure the subnet of the private IP on slave is the same subnet with master (I use 10.0.1.2/30) -make sure you have removed the slave's ip that you are adding to master. You can use each server to ping the private ip of the other server to test if the connection between the two have been made (this doesn't mean the public IPs of slave have been set correctly on master though). That's all I have learned so far, if any pro see anything that's missing, please jump in and help. Thanks
Turning off iptables is really not a good idea. You can run tunnels just fine with ipables ON and the appropriate rules.
hahaha I know what you mean. I do have those in place with the production server, but for the purpose while I was learning to do it, I just disabled the firewall to make it easier for me.
Why's that? Having iptables enabled on a server that's doing nothing more than tunneling traffic is just another layer of complexity,wasted cpu time and memory usage for connection tracking tables. With a properly configured server one does not need iptables..
I agree with docbron.. It is better to use rule then turnoff.. I think it is better to allow all incoming traffic between both tunnelled servers... May be like this. On master server... #iptables -A INPUT -s Slave_Server_IP -j ACCEPT On Slave Server... #iptables -A INPUT -s Master_Server_IP -j ACCEPT Put this rule on the top in rule list... This will allow all the incoming traffic from specific server...
No. iptables is a useless piece of shit and relying on it for "security" is stupid. The rules you posted will not work and don't even begin to cover what is needed to allow tunneled traffic to pass. The "slave server" sends traffic to the remote hosts using the tunneled IP as the source address. This causes the ACK from the remote hosts to be sent to the tunnel server.. The tunnel server, following the configuration to 'route' the ips to the tunnel, will then forward the traffic over the tunnel to the slave. So having the rule to allow traffic FROM the slave won't cover it. If the iptables rules contain anything related to connection tracking, the traffic will be dropped because the firewall session tracking will have no record of the session as the session did not originate from the machine. iptables is a waste of resources and only adds an additional layer of complexity. A properly configured machine with recent updates and minimal services will run more efficiently and be much easier to maintain. But do whatever you want, if you enjoy wasting time troubleshooting shit caused by iptables more power to you.
I have been testing tunneling last couple of days, and as nickphx said, I wouldn't agree more. Iptables has caused a bunch of problems to my master server because it couldn't connect to the slaves for God knows what reason and I had to manually login to the server to turn it off, so I have set the auto start up file to always disable iptables and set the watchers of my system to monitor the iptables to turn it off automatically every 45 minutes. As far as security concern, me and my guy are working on a close off security system that's as tight as a federal prison lol.
lol if you knew how to set up iptables you'd find out it's easy. GRE is IP protocol #4. btw gre only works with dedis you can't use openvz. there is anoher way that's much better.
You couldn't be any more wrong; you come in and lol @ someone then drop this ignorant tidbit of useless info in your first post....ya, buddy - you'll be fun to troll :thefinger:
you're right #4 is IPIP, #47 is GRE. also kvm and xen work with GRE, but still most providers use openvz and gre doesn't work there. I shoulnd' post after 1AM lol
you can't install GRE on openvz if it's disabled by the provider.. the host blocks loading kernel modules on containers. and tun/tap is not the same as gre
I am aware that a tun/tap device is not the same as a gre tunnel. However, the tun module is required to create the gre tunnel. So without the tun device you can not create a gre tunnel. But I'm sure you already knew that. I have developed a program that creates a gre tunnel without requiring the tun or gre modules. It works regardless of the host's settings. The tunnel will only fail if the host network does SPI, which I'm sure you already know all about so I will save the explanation.
