Discussion:
GRE through NAT (linux iptables)
Bob George
2002-12-01 01:12:45 UTC
Permalink
I'm trying to set up a GRE tunnel through a NAT gateway as follows:

1. External GRE traffic arriving on the external interface of gateway A
should be redirected to an inside interface on B. The GRE tunnel
endpoints are the remote system C and eth1 on B.

2. Traffic exiting machine A's external interface (eth1) should be NAT'd
to the external IP of that interface.

Hopefully this drawing will make everything clear:

eth1 +---+ eth2 eth1 +---+
| | .254 .253 | |
C --- INTERNET -+ A +----- DMZ ------+ B |
<external_ip> | | 172.16.23.0/24 | |
+---+ +---+
^ ^
NAT tunnel endpoint
<----- GRE TUNNEL ---------------->

I HAVE been able to:

* Create GRE tunnels between C-A, and A-B with no problems.
* Redirect other non-GRE inbound traffic on A eth1 to B eth1.
* Connect from B to external systems with TCP, UDP & ICMP.

I have tried various combinations of iptables configurations with no
luck so far with GRE. Here are the relevant parts of the configuration on A:

--- cut here --- cut here ---

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to
iptables -N eth1-in
iptables -A INPUT -i eth1 -j eth1-in

# NAT B traffic - THESE WORK
iptables -A eth1-in --protocol tcp -i eth1 --destination-port 8200:8202
-j ACCEPT
iptables -t nat -A PREROUTING -i eth1 --protocol tcp --destination-port
8200:8202 -j DNAT --to 172.16.23.253

# NAT inbound GRE traffic - THIS DOESN'T WORK
iptables -A eth1-in --protocol 47 -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 --protocol 47 -j DNAT --to
172.16.23.253

--- cut here --- cut here ---

I have also configured A with basic rules NAT'ing all outbound traffic
of eth1, and setting ALLOW policies for FORWARD, INPUT and OUTPUT. I've
also tried removing the DNAT and SNAT rules for GRE in various
combinations. All other traffic worked well, but still no GRE.

I did some captures using tcpdump on both systems. I could see GRE
traffic coming in to eth1 on A, and ICMP responses from A to C
indicating "protocol unreachable." I never saw the outbound GRE traffic
going through NAT, though other outbound traffic from B was fine.

I've searched various howtos, and found numerous articles that make me
think it should work easily, yet I'm stumped. I'm curious if anyone has
successfully done GRE via NAT. Am I (hopefully) misssing something obvious?

Thanks,

- Bob
Alex Ongena
2002-12-02 14:19:08 UTC
Permalink
Hi,
1) what kernelversion are you using ?
2) have you extended the iptables with the 'patchomatic' to include
PPTP conection tracking and PPTP NAT (http://www.netfilter.org) ?
(it's not by default in the kernel)

Best regards
Alex
Post by Bob George
1. External GRE traffic arriving on the external interface of gateway A
should be redirected to an inside interface on B. The GRE tunnel
endpoints are the remote system C and eth1 on B.
2. Traffic exiting machine A's external interface (eth1) should be NAT'd
to the external IP of that interface.
eth1 +--+ eth2 eth1 +--+
| | .254 .253 | |
C -- INTERNET -+ A +-- DMZ --+ B |
<external_ip> | | 172.16.23.0/24 | |
+--+ +--+
^ ^
NAT tunnel endpoint
<-- GRE TUNNEL -->
* Create GRE tunnels between C-A, and A-B with no problems.
* Redirect other non-GRE inbound traffic on A eth1 to B eth1.
* Connect from B to external systems with TCP, UDP & ICMP.
I have tried various combinations of iptables configurations with no
-- cut here -- cut here --
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to
iptables -N eth1-in
iptables -A INPUT -i eth1 -j eth1-in
# NAT B traffic - THESE WORK
iptables -A eth1-in --protocol tcp -i eth1 --destination-port 8200:8202
-j ACCEPT
iptables -t nat -A PREROUTING -i eth1 --protocol tcp --destination-port
8200:8202 -j DNAT --to 172.16.23.253
# NAT inbound GRE traffic - THIS DOESN'T WORK
iptables -A eth1-in --protocol 47 -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 --protocol 47 -j DNAT --to
172.16.23.253
-- cut here -- cut here --
I have also configured A with basic rules NAT'ing all outbound traffic
of eth1, and setting ALLOW policies for FORWARD, INPUT and OUTPUT. I've
also tried removing the DNAT and SNAT rules for GRE in various
combinations. All other traffic worked well, but still no GRE.
I did some captures using tcpdump on both systems. I could see GRE
traffic coming in to eth1 on A, and ICMP responses from A to C
indicating "protocol unreachable." I never saw the outbound GRE traffic
going through NAT, though other outbound traffic from B was fine.
I've searched various howtos, and found numerous articles that make me
think it should work easily, yet I'm stumped. I'm curious if anyone has
successfully done GRE via NAT. Am I (hopefully) misssing something obvious?
Thanks,
- Bob
_______________________________________________
firewall-wizards mailing list
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--
**********************************************************
* Alex Ongena *
* Managing Director *
* *
* Secure Internet Communication *
* with UNI-Box and aXs Guard *
* *
* Able NV *
* Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium *
* Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09 *
* E-Mail: ***@able.be *
* URL: http://www.able.be *
* *
**********************************************************
**
Eric Vyncke
2002-12-04 13:07:07 UTC
Permalink
Even if I'm not a iptable specialist, here are two comments:
- GRE is IP protocol 47, so you cannot only translate on TCP/UDP ports
- be sure that C is defined to terminate the GRE tunnel on the external_ip

Else, it worked (but not with iptable)

Hope this helps

-eric
1. External GRE traffic arriving on the external interface of gateway A should be redirected to an inside interface on B. The GRE tunnel endpoints are the remote system C and eth1 on B.
2. Traffic exiting machine A's external interface (eth1) should be NAT'd to the external IP of that interface.
eth1 +---+ eth2 eth1 +---+
| | .254 .253 | |
C --- INTERNET -+ A +----- DMZ ------+ B |
<external_ip> | | 172.16.23.0/24 | |
+---+ +---+
^ ^
NAT tunnel endpoint
<----- GRE TUNNEL ---------------->
* Create GRE tunnels between C-A, and A-B with no problems.
* Redirect other non-GRE inbound traffic on A eth1 to B eth1.
* Connect from B to external systems with TCP, UDP & ICMP.
--- cut here --- cut here ---
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to
iptables -N eth1-in
iptables -A INPUT -i eth1 -j eth1-in
# NAT B traffic - THESE WORK
iptables -A eth1-in --protocol tcp -i eth1 --destination-port 8200:8202 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 --protocol tcp --destination-port 8200:8202 -j DNAT --to 172.16.23.253
# NAT inbound GRE traffic - THIS DOESN'T WORK
iptables -A eth1-in --protocol 47 -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 --protocol 47 -j DNAT --to 172.16.23.253
--- cut here --- cut here ---
I have also configured A with basic rules NAT'ing all outbound traffic of eth1, and setting ALLOW policies for FORWARD, INPUT and OUTPUT. I've also tried removing the DNAT and SNAT rules for GRE in various combinations. All other traffic worked well, but still no GRE.
I did some captures using tcpdump on both systems. I could see GRE traffic coming in to eth1 on A, and ICMP responses from A to C indicating "protocol unreachable." I never saw the outbound GRE traffic going through NAT, though other outbound traffic from B was fine.
I've searched various howtos, and found numerous articles that make me think it should work easily, yet I'm stumped. I'm curious if anyone has successfully done GRE via NAT. Am I (hopefully) misssing something obvious?
Thanks,
- Bob
_______________________________________________
firewall-wizards mailing list
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Loading...