How to make GRE tunnel iptables port redirect on Linux

Saturday, 20th August 2011

I’ve recently had to build a Linux server with some other servers behind the router with NAT.
One of the hosts behind the Linux router was running a Window GRE encrypted tunnel service. Which had to be accessed with the Internet ip address of the server.
In order < б>to make the GRE tunnel accessible, a bit more than just adding a normal POSTROUTING DNAT rule and iptables FORWARD is necessery.

As far as I’ve read online, there is quite of a confusion on the topic of how to properly configure the GRE tunnel accessibility on Linux , thus in this very quick tiny tutorial I’ll explain how I did it.

1. Load the ip_nat_pptp and ip_conntrack_pptp kernel module

linux-router:~# modprobe ip_nat_pptp
linux-router:~# modprobe ip_conntrack_pptp

These two modules are an absolutely necessery to be loaded before the remote GRE tunnel is able to be properly accessed, I’ve seen many people complaining online that they can’t make the GRE tunnel to work and I suppose in many of the cases the reason not to be succeed is omitting to load this two kernel modules.

2. Make the ip_nat_pptp and ip_nat_pptp modules to load on system boot time

linux-router:~# echo 'ip_nat_pptp' >> /etc/modules
linux-router:~# echo 'ip_conntrack_pptp' >> /etc/modules

3. Insert necessery iptables PREROUTING rules to make the GRE tunnel traffic flow

linux-router:~# /sbin/iptables -A PREROUTING -d 111.222.223.224/32 -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.1.3:1723
linux-router:~# /sbin/iptables -A PREROUTING -p gre -j DNAT --to-destination 192.168.1.3

In the above example rules its necessery to substitute the 111.222.223.224 ip address withe the external internet (real IP) address of the router.

Also the IP address of 192.168.1.3 is the internal IP address of the host where the GRE host tunnel is located.

Next it’s necessery to;

4. Add iptables rule to forward tcp/ip traffic to the GRE tunnel

linux-router:~# /sbin/iptables -A FORWARD -p gre -j ACCEPT

Finally it’s necessery to make the above iptable rules to be permanent by saving the current firewall with iptables-save or add them inside the script which loads the iptables firewall host rules.
Another possible way is to add them from /etc/rc.local , though this kind of way is not recommended as rules would add only after succesful bootup after all the rest of init scripts and stuff in /etc/rc.local is loaded without errors.

Afterwards access to the GRE tunnel to the local IP 192.168.1.3 using the port 1723 and host IP 111.222.223.224 is possible.
Hope this is helpful. Cheers 😉

Share this on:

Download PDFDownload PDF

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

6 Responses to “How to make GRE tunnel iptables port redirect on Linux”

  1. febcrash says:
    Firefox 16.0 Firefox 16.0 Ubuntu x64 Ubuntu x64
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0

    Thanks a lot for this usefull post.

    You’ve juste made a little mistake on “linux-router:~# modpribe ip_conntrack_pptp” line.
    It’s “modprobe”, not “modpribe”

    View CommentView Comment
  2. Johnny says:
    Google Chrome 26.0.1410.64 Google Chrome 26.0.1410.64 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31

    Hi.
    help me with an opinion.
    when i launch service iptables stop
    connection between 2 windows vpn works
    when i start .. connection drop.. 
    so in general my rules look like
     
    # Clear rules
    iptables -t filter -F
    iptables -t filter -X
    echo – Clear rules : [OK]
     
    # Don't break established connections
    iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    echo – established connections : [OK]
     
    # Loopback
    iptables -t filter -A INPUT -i lo -j ACCEPT
    iptables -t filter -A OUTPUT -o lo -j ACCEPT
    echo – Loopback : [OK]
     
    #routing
    iptables –table nat –append POSTROUTING –out-interface eth1 -j MASQUERADE
    iptables –append FORWARD –in-interface eth0 -j ACCEPT
    and some filters for w00tw00t
     
    I dont have privat ips .. only Public
    and I don#t know to make an working rule for windows vpn
    Can u help me ? thanks

    View CommentView Comment
    • admin says:
      Google Chrome 27.0.1453.110 Google Chrome 27.0.1453.110 GNU/Linux x64 GNU/Linux x64
      Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36

      Hi why you use MASQUARADE (its nowadays obsolete)
      iptables –table nat –append POSTROUTING –out-interface eth1 -j MASQUERADE
      iptables –append FORWARD –in-interface eth0 -j ACCEPT

      I would suggest you remove this rules and use instead

      iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -d 192.168.5.0/24 -j SNAT –to-source 192.168.5.9
      # iptables SNAT rules for OpenVPN addrs routing from 10.8.0.0 to access 192.168.5.0
      /sbin/iptables -t nat -I POSTROUTING -s 192.168.5.0/24 -d 10.8.0.0/24 -j SNAT –to-source 10.8.0.1
      # iptables SNAT rules to allow connected OpenVPN user to access Internet via 109.104.206.253
      /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j SNAT –to 108.104.205.254

      Here I assume

      192.168.5.0/24 (is your network of hosts 192.168.5.1-255 on interface eth1)
      10.8.0.0 is assigned IP by VPN connected hosts
      108.104.205.254 – is your external (internet) IP address configured on eth0

      Hope thsi helops.
      Rest of your rules seems ok

      If problems persist try to temporary comment

      iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
      iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

      #iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
      #iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
      Best Georgi

      View CommentView Comment
  3. Leaj says:
    Google Chrome 38.0.2125.101 Google Chrome 38.0.2125.101 GNU/Linux GNU/Linux
    Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36

    Thank God for you, got my linux firewall passing GRE now after days of testing until i read this post. Thanks.
    I added one line though ‘iptables -A INPUT -i eth0 -p gre -j ACCEPT’.
    thanks again.

    View CommentView Comment
  4. Mario says:
    Google Chrome 55.0.2883.87 Google Chrome 55.0.2883.87 Windows 7 Windows 7
    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

    Excelent!!

    View CommentView Comment

Leave a Reply

CommentLuv badge