IP GRE Cisco Linux
Creating Tunnel interface on Cisco
interface Tunnel0
ip address 172.19.2.2 255.255.255.0
tunnel source IP_ADDR
tunnel destination IP_ADDR
ip nat insideinterface FastEthernet3/0
ip address IP_ADDR 255.255.255.252
ip nat outside
no ip mroute-cache
load-interval 30
duplex full
Adding routes
ip route 172.19.3.0 255.255.255.0 tunnel0
ip access-list standard Ips
permit 172.19.2.2
permit 172.19.3.3route-map VPN permit 10
match ip address Ips
Configuring NAT
ip nat inside source route-map VPN interface FastEthernet3/0 overload
ip nat inside source static tcp 172.19.3.3 2200 fas3/0_ip_addr 7200 extendable
!!! ip nat outside must be on the external interface where internet comes !!!
Linux Tunnel
[root@fastline ~]# ip tun add tun0 mode gre local LOCAL remote REMOTE ttl 255 <br/>
[root@fastline ~]# ip add add 172.19.3.3 dev tun0 <br/>
[root@fastline ~]# ip link set tun0 up <br/>
[root@fastline ~]# ip r a 172.19.2.0/24 dev tun0 <br/>
[root@fastline ~]# echo “201 tun” >> /etc/iproute2/rt_tables <br/>
[root@fastline ~]# ip rule add from 172.19.3.3 lookup tun <br/>
[root@fastline ~]# ip route add default via 172.19.2.2 table tun <br/>
[root@fastline ~]# /sbin/ip route flush cache <br/>
This way all traffic from 172.19.3.3 will be forwarded to 172.19.2.2.
ip r a 66.197.0.0/24 dev tun0 (Traffic from this network will go via tunnel)
Forwarding Traffic
Forward specific traffic:
[root@fastline ~]# iptables -A PREROUTING -t mangle -p tcp –dport 22 -j MARK –set-mark 0×22<br/>
[root@fastline ~]# iptables -t mangle -L -v<br/>
Chain PREROUTING (policy ACCEPT 28 packets, 346K bytes)
pkts bytes target prot opt in out source destination
1 40 MARK tcp — any any anywhere anywhere tcp dpt:ssh MARK set 0×22[root@fastline ~]# ip rule add fwmark 0×22 lookup tun
[root@fastline ~]# ip route add default via 172.19.2.2 table tun

May 7th, 2010 at 2:27 am
Hello,
i’ve the similar situation, even i have to forwrding traffic from gre (ciscolinux) to internet, so in my iptables i’ve set :
#Permiting linux to act as router (necessary to forward packets)
echo “1″ > /proc/sys/net/ipv4/ip_forward
# first the port then the protocol
$fw -A INPUT -p 47 -j ACCEPT
# permit any ppp interfase to forward
$fw -A FORWARD -i cloud -o ppp0 -j ACCEPT
$fw -A FORWARD -o cloud -i ppp0 -j ACCEPT
# any “related” activity to something already permitted, should be accepted:
$fw -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
# masquerade anything going out from this server:
$fw -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#$fw -t nat -A POSTROUTING -o ppp0 -j SNAT –to $myextip
$fw -t nat -A POSTROUTING -o ppp0 -j SNAT –to-source $myextip
$fw -A FORWARD -i cloud -o ppp0 -m state –state ESTABLISHED,RELATED -j ACCEPT
so i see the traffic comming from cisco, and going to internet avec mu ppp0 NIC, but it never come back.
Can you tell me what’s wrong with mon iptables ?
May 11th, 2010 at 12:06 pm
Try debugging with tcpdump. Most likely you did not set the proper iproute rules.