Điểm:0

GRE tunnel. Port Forwarding with IPTables from VPS to Local Server not working

lá cờ de

Dear ServerFault community,

I have an OVH VPS with 3 public IPs (1.1.1.1, 2.2.2.2, 3.3.3.3) and I am trying to forward them individually, with one tunnel for each IP, to a server in my office (IP 5.5.5.5) with port forwarding. This so that I can hide my office IP when running services on my office server.

1.1.1.1 is reserved for VPS's SSH. (All the ports are dropped except for port 23).

I forwarded one IP (2.2.2.2) through a WireGuard tunnel and IPTables and it works correctly with both curl --interface wg0 ifconfig.co and port forwarding (I can access Apache through 2.2.2.2:80).

WireGuard subnet:

1.0.0.1/32 for the VPS and 1.0.0.2/32 for the peer

For the second IP (3.3.3.3) I tried to create a second subnet and tunnel through the use of a GRE tunnel which as destination and source IP uses WireGuard's endpoints.

GRE Tunnel setup on OVH VPS:

iptunnel add gre1 mode gre local 10.0.0.1 remote 10.0.0.2 ttl 255
ip addr add 10.1.0.1/30 dev gre1
ip link set gre1 up

GRE Tunnel setup on Office Server:

iptunnel add gre1 mode gre local 10.0.0.2 remote 10.0.0.1 ttl 255
ip addr add 10.1.0.2/30 dev gre1
ip link set gre1 up

GRE subnet:

1.1.0.1/30 for the VPS and 1.1.0.2/30 for the peer

The GRE connection works as I can use it to access the internet. Moreover, with curl --interface gre1 ifconfig.co the correct IP is shown (3.3.3.3).

The only thing is that port forwarding is not working. I tried to TCPDump on both the VPS and the Office Server when visiting 3.3.3.3:80 and seems like the office server receives data from the VPS but no data is sent.

TCPDump from VPS (when visiting 3.3.3.3:80):

17:23:18.982509 IP {CENSORED}.52946 > 10.1.0.2.http: Flags [S], seq 1181521223, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:18.983462 IP {CENSORED}.52947 > 10.1.0.2.http: Flags [S], seq 2207908725, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:19.246446 IP {CENSORED}.52949 > 10.1.0.2.http: Flags [S], seq 13463282, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:19.992556 IP {CENSORED}1.52946 > 10.1.0.2.http: Flags [S], seq 1181521223, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:19.993397 IP {CENSORED}1.52947 > 10.1.0.2.http: Flags [S], seq 2207908725, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:20.258502 IP {CENSORED}.52949 > 10.1.0.2.http: Flags [S], seq 13463282, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:22.004496 IP {CENSORED}.52946 > 10.1.0.2.http: Flags [S], seq 1181521223, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:22.004531 IP {CENSORED}.52947 > 10.1.0.2.http: Flags [S], seq 2207908725, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:23:22.268496 IP {CENSORED}.52949 > 10.1.0.2.http: Flags [S], seq 13463282, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0

TCPDump from Office server (when visiting 3.3.3.3:80):

19:26:22.313047 IP {CESNORED}.53010 > 10.1.0.2.http: Flags [S], seq 43942198, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:22.313051 IP {CESNORED}.53011 > 10.1.0.2.http: Flags [S], seq 2711874582, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:23.326891 IP {CESNORED}.53010 > 10.1.0.2.http: Flags [S], seq 43942198, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:23.327948 IP {CESNORED}.53011 > 10.1.0.2.http: Flags [S], seq 2711874582, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:25.336925 IP {CESNORED}.53011 > 10.1.0.2.http: Flags [S], seq 2711874582, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:25.337102 IP {CESNORED}.53010 > 10.1.0.2.http: Flags [S], seq 43942198, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:29.338287 IP {CESNORED}.53011 > 10.1.0.2.http: Flags [S], seq 2711874582, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
19:26:29.338290 IP {CESNORED}.53010 > 10.1.0.2.http: Flags [S], seq 43942198, win 64240, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0

OVH VPS' IPTables:

# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*filter
:INPUT ACCEPT [1698:235639]
:FORWARD ACCEPT [1053:163056]
:OUTPUT ACCEPT [1451:166474]
:f2b-sshd - [0:0]
-A INPUT -s 1.1.1.1/32 -p tcp -m tcp --dport 23 -j ACCEPT
-A FORWARD -p GRE -j ACCEPT
-A INPUT -p GRE -j ACCEPT
-A INPUT -s 1.1.1.1/32 -j DROP
COMMIT
# Completed on Tue May 31 15:25:37 2022
# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*nat
:PREROUTING ACCEPT [435:15811]
:INPUT ACCEPT [428:15399]
:OUTPUT ACCEPT [32:2255]
:POSTROUTING ACCEPT [119:6298]


-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 21,22,23,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 21,22,80,23,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2


-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 21,22,23,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 21,22,80,23,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -p gre -j DNAT --to-destination 10.1.0.2


-A POSTROUTING -s 10.1.0.2/30 ! -o gre+ -j SNAT --to-source 149.202.147.64


-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 21,22,23,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 21,22,23,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2


-A POSTROUTING -s 10.1.0.2/30 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/30 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 149.202.147.64
-A POSTROUTING -s 10.1.0.2/30 -p tcp -m tcp -m multiport --sports 21,22,23,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/30 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/30 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/30 -p udp -m udp -m multiport --sports 21,22,23,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3


COMMIT
# Completed on Tue May 31 15:25:37 2022

Result on Office Server for curl --interface wg0 ifconfig.co:

2.2.2.2

Result on Office Server for curl --interface gre1 ifconfig.co:

3.3.3.3

(Internet connection works for both)

With Apache listening on 0.0.0.0:80 I can access the webserver through 2.2.2.2:80 but not through 3.3.3.3:80.

Even if Apache binds to 10.1.0.2 I still cannot access the webserver.

Any help will be very appreciated!

Thank you very much for your time!

Best Regards,

Nicolò

Đăng câu trả lời

Hầu hết mọi người không hiểu rằng việc đặt nhiều câu hỏi sẽ mở ra cơ hội học hỏi và cải thiện mối quan hệ giữa các cá nhân. Ví dụ, trong các nghiên cứu của Alison, mặc dù mọi người có thể nhớ chính xác có bao nhiêu câu hỏi đã được đặt ra trong các cuộc trò chuyện của họ, nhưng họ không trực giác nhận ra mối liên hệ giữa câu hỏi và sự yêu thích. Qua bốn nghiên cứu, trong đó những người tham gia tự tham gia vào các cuộc trò chuyện hoặc đọc bản ghi lại các cuộc trò chuyện của người khác, mọi người có xu hướng không nhận ra rằng việc đặt câu hỏi sẽ ảnh hưởng—hoặc đã ảnh hưởng—mức độ thân thiện giữa những người đối thoại.