[Solved] use iptables with IP in IP Tunnel

jarekjarecki

New Member
Credits
82
Hi guys,

I've got another issue. I made a test IP in IP tunnel like in this article https://sites.google.com/site/mrxpalmeiras/linux/create-ipip-tunnel-between-networks

Then on machine A:

iptables -t nat -A PREROUTING -d 101.131.77.67 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2

where 101.131.77.67 is public IP of machine A and 192.168.0.2 is IP of IP in IP tunnel machine B

It works fine - after sending a packet to 101.131.77.67 on port 80 I receive a packet on tunnel-a on machine B with source IP of external client and destination of 192.168.0.2 which is IP of IPinIP tunnel of machine B.

Then on the machine B I made:

iptables -t nat -A PREROUTING -d 192.168.0.2 -p tcp -j DNAT --to-destination 172.16.0.2

where 172.16.0.2 is a machine in local network where I want to redirect whole traffic again and this doesn't work at all - it doesn't redirect anything and I'm still able to receive packets on machine B.

It looks like this:

client ---> ----[HTTP request]---- ---->server 1 port 80 ----> ----[IP in IP encapsulated client packet]---- ---> server 2 IP in IP interface ( 192.168.0.2 ) --->

This part works fine.

but after adding [iptables -t nat -A PREROUTING -d 192.168.0.2 -p tcp -j DNAT --to-destination 172.16.0.2]

nothing changes. Packets are not forwarded to the next server.

It looks like iptables doesn't affect IPIP decapsulated packets at all.

Do you have any idea what can be causing it?
 
Last edited:


jarekjarecki

New Member
Credits
82
Solution was:

net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

as well as

sysctl net.ipv4.conf.eth0.rp_filter=0
sysctl net.ipv4.conf.eth1.rp_filter=0
sysctl net.ipv4.conf.gre0.rp_filter=0
sysctl net.ipv4.conf.gre1.rp_filter=0

Please mark a thread as solved/closed as you wish.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Staff online

Members online


Top