views:

1739

answers:

2

I have a host that has a permanent static GRE tunnel to a server on the Internet. Right now the host has its own real IP address. I want to put the host behind a Linux box (Smoothwall), and assign it a private IP address.

Lets call:
tunnel-server-ip = the IP of the end of the tunnel the host is connecting to (on the internet)
real-ip = the real IP currently used by the host, that I want to assign to the Linux router
false-ip = the IP the host will get after it is put behind the Linux firewall

This is what I think I have to do for the tunnel to work:

  1. DNAT all incoming IP GRE packets on the external interface coming from the internet tunnel end, and send them to host. That is change the destination from real-ip to false-ip and send the packet to false-ip
  2. SNAT all incoming IP GRE packets coming on the internal interface coming from the host to appear they are generated by the Linux box and send them to the tunnel server. That is change the source field from false-ip to real-ip and send the packet to tunnel-server-ip

I came up with the following script:

tunnel_server_ip=217.x.x.x
false_ip=192.168.2.2
real_ip=82.x.x.x
/sbin/iptables -A PREROUTING -p 47 --src $tunnel_server_ip -j DNAT --to-destination $false_ip 
/sbin/iptables -A POSTROUTING -p 47 --src $false_ip -j SNAT --to-source $real_ip    
/sbin/iptables -A INPUT -p 47 -j ACCEPT

Running this results in No chain/target/match by that name.
Could you please tell me what I did wrong? Am I on the right track?

A: 

For most GRE tunnels you have to have a control protocol on TCP 1723. This has to be forwarded also. Here is a Link that describes the iptables configuration for this. You are on the right track, just missing the control protocol.

Scott Lundberg
Thanks for the answer. I copied the question to http://serverfault.com/questions/37635/nat-gre-ip-protocol-47-over-linux-router For GRE to work you don't need TCP 1723. That is needed only for PPTP which uses GRE for data and TCP 1723 for control. If you only want a static tunnel, you can use GRE alone.
andi
A: 

You appear to have forgotten to say "--table nat", so it's going into the filter table which doesn't have SNAT/DNAT targets, nor does it have PREROUTING and POSTROUTING chains.

Perry Lorier