All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CSF and GRE Tunneling
Has anyone successfully setup a GRE tunnel while using CSF firewall?
I did my setup following http://wiki.buyvm.net/doku.php/gre_tunnel with CSF off. Now that I have turned CSF on, I managed to create some rules on the DDOS protected host to get GRE working.
They are as follows (entered in csfpre.sh):
/sbin/iptables -A INPUT -i eth0 -p gre -d [ddosprotectedip] -s [servertobeprotected] -j ACCEPT
/sbin/iptables -A INPUT -i gre1 -j ACCEPT
/sbin/iptables -A FORWARD -i gre1 -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.168.0/30 -i eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT --to-source [ddosprotectedip]
On the server that I am trying to protect though, things seem to be getting a little dicey.
Using:
/sbin/iptables -A INPUT -i eth0 -p gre -s [ddosprotectedip] -j ACCEPT
/sbin/iptables -A INPUT -i gre1 -j ACCEPT
Seems to block GRE traffic on the tunnel. So far, the only way I have found to get the traffic to pass through is to add the ddos protected ip into /etc/csf/csf.allow.
Comments
White-listing the IP is the correct procedure. Also whitelist any internal IPs. Simple and Effective.
Ah, thanks
Thought I was doing something wrong when I found that I had to whitelist the IP to get an connection.
By the way, I am having another issue where the the tunnel stops working until I do some pings across it from the vps that is being protected. Seems like there is no keepalive.
Anyone have any ideas to fix that, other than doing a cron with a ping?
GRE is stateless, it has nothing like a keepalive.
Question... Is it really a good option to make a tunnel? Isn't it easier a iptables to forward a port?
If your doing IP-Banning, or simply wish to have the correct source IP on the remote system, you use GRE. You can easily view this in tcpdump
I think the issue becomes the destination server's reply. (In the case of tunnels, you do so because you want the reply to go through the tunnel.)