GRE through NAT gateway

[warlord at MIT.EDU (Derek Atkins)]

It's possible that the NAT software itself does not know how to
NAT IP-proto 47 (gre).  Note that a lot of various protocols can't be
NATed in this manner.  IP Proto 50, for example, also has similar
problems, as does (somewhat) IP Proto 4.

-derek

Bob George <mailings01 at ttlexceeded.com> writes:

> I'm trying to set up a GRE tunnel through a NAT gateway as follows:
> 
> 1. External GRE traffic arriving on the external interface of gateway
> A should be redirected to an inside interface on B. The GRE tunnel
> endpoints are the remote system C and eth1 on B.
> 
> 2. Traffic exiting machine A's external interface (eth1) should be
> NAT'd to the external IP of that interface.
> 
> Hopefully this drawing will make everything clear:
> 
>            eth1 +---+ eth2      eth1 +---+
>                 |   | .254      .253 |   |
> C --- INTERNET -+ A +----- DMZ ------+ B |
>   <external_ip> |   | 172.16.23.0/24 |   |
>                 +---+                +---+
>                 ^                    ^
>                 NAT                  tunnel endpoint
>  <----- GRE TUNNEL ---------------->
> 
> I HAVE been able to:
> 
> * Create GRE tunnels between C-A, and A-B with no problems.
> * Redirect other non-GRE inbound traffic on A eth1 to B eth1.
> * Connect from B to external systems with TCP, UDP & ICMP.
> 
> I have tried various combinations of iptables configurations with no
> luck so far with GRE. Here are the relevant parts of the configuration
> on A:
> 
> --- cut here --- cut here ---
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to
> iptables -N eth1-in
> iptables -A INPUT -i eth1 -j eth1-in
> 
> # NAT B traffic - THESE WORK
> iptables -A eth1-in --protocol tcp -i eth1 --destination-port
> 8200:8202 -j ACCEPT
> iptables -t nat -A PREROUTING -i eth1 --protocol tcp
> --destination-port 8200:8202 -j DNAT --to 172.16.23.253
> 
> # NAT inbound GRE traffic - THIS DOESN'T WORK
> iptables -A eth1-in --protocol 47 -i eth1 -j ACCEPT
> iptables -t nat -A PREROUTING -i eth1 --protocol 47 -j DNAT --to
> 172.16.23.253
> 
> --- cut here --- cut here ---
> 
> I have also configured A with basic rules NAT'ing all outbound traffic
> of eth1, and setting ALLOW policies for FORWARD, INPUT and
> OUTPUT. I've also tried removing the DNAT and SNAT rules for GRE in
> various combinations. All other traffic worked well, but still no GRE.
> 
> I did some captures using tcpdump on both systems. I could see GRE
> traffic coming in to eth1 on A, and ICMP responses from A to C
> indicating "protocol unreachable." I never saw the outbound GRE
> traffic going through NAT, though other outbound traffic from B was
> fine.
> 
> I've searched various howtos, and found numerous articles that make me
> think it should work easily, yet I'm stumped. I'm curious if anyone
> has successfully done GRE via NAT. Am I (hopefully) misssing something
> obvious?
> 
> Thanks,
> 
> - Bob
> 
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available