GRE and IPIP Tunnels

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.



GRE and IPIP Tunnels are insecure when used over the Internet; use them at your own risk

GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded networks.

The simple scripts described in the Linux Advanced Routing and Shaping HOWTO work fine with Shorewall. Shorewall also includes a tunnel script for automating tunnel configuration. If you have installed the RPM, the tunnel script may be found in the Shorewall documentation directory (usually /usr/share/doc/shorewall-<version>/).

Bridging two Masqueraded Networks

Suppose that we have the following situation:

We want systems in the subnetwork to be able to communicate with the systems in the network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall.

The tunnel script is not installed in /etc/shorewall by default -- If you install using the tarball, the script is included in the tarball; if you install using the RPM, the file is in your Shorewall documentation directory (normally /usr/share/doc/shorewall-<version>).

In the /etc/shorewall/tunnel script, set the tunnel_type parameter to the type of tunnel that you want to create.

Example 1. /etc/shorewall/tunnel



If you use the PPTP connection tracking modules from Netfilter Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp, ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE tunnels.

On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called vpn and declare it in /etc/shorewall/zones on both systems as follows.

#ZONE        TYPE           OPTIONS
vpn          ipv4

On system A, the will comprise the vpn zone. In /etc/shorewall/interfaces:

vpn          tosysb

In /etc/shorewall/tunnels on system A, we need the following:

#TYPE         ZONE          GATEWAY          GATEWAY ZONE
ipip          net 

This entry in /etc/shorewall/tunnels, opens the firewall so that the IP encapsulation protocol (4) will be accepted to/from the remote gateway.

In the tunnel script on system A:

Example 2. tunnel script on system A

myrealip= (for GRE tunnel only)

Similarly, On system B the subnet will comprise the vpn zone. In /etc/shorewall/interfaces:

vpn          tosysa   

In /etc/shorewall/tunnels on system B, we have:

#TYPE        ZONE           GATEWAY           GATEWAY ZONE
ipip         net  

And in the tunnel script on system B:

Example 3. tunnel script on system B

myrealip= (for GRE tunnel only)

You can rename the modified tunnel scripts if you like; be sure that they are secured so that root can execute them.

You will need to allow traffic between the vpn zone and the loc zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:

#SOURCE          DEST          POLICY         LOG LEVEL
loc              vpn           ACCEPT
vpn              loc           ACCEPT

On both systems, restart Shorewall and run the modified tunnel script with the start argument on each system. The systems in the two masqueraded subnetworks can now talk to each other


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation

Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page