ipip_tunnel
Differences
This shows you the differences between two versions of the page.
| — |
ipip_tunnel [2017/03/23 09:22] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | //[This how-to tutorial was created by EidolonHost. Please consider EidolonHost for your [[http://eidolonhost.com|OpenVZ and KVM VPS]] needs. // | ||
| + | ====== Tutorial: IPIP tunneling from your EidolonHost DDoS Filtered VPS IP ====== | ||
| + | |||
| + | ==== What is a IPIP tunnel? ==== | ||
| + | |||
| + | Much like a proxy, a IPIP tunnel allows you to pass traffic from your EidolonHost VPS including DDoS filtering to another remote destination. | ||
| + | |||
| + | IPIP tunnels allow **all traffic** through, not just HTTP. With a IPIP tunnel you can serve, and deliver any type of content from any type of server (audio, FTP, SSH, SCP, video, etc.). | ||
| + | |||
| + | ==== What can your use a IPIP tunnel for? ==== | ||
| + | |||
| + | IPIP tunneling is very handy when you want to use our DDoS filtering services to protect services that are too large to host with us (I.e. game servers, Java applications, large database driven applications, etc.). | ||
| + | |||
| + | **IPIP tunneling is also the only tunneling method that OVH supports in their included kernels.** | ||
| + | |||
| + | Don't have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to [[redirect_traffic|redirect traffic]] to your remote server. | ||
| + | |||
| + | ==== IPIP Tunnel How-to Tutorial Begins Here ===== | ||
| + | |||
| + | Our how-to tutorial to setup a IPIP tunnel between EidolonHost DDoS filtered VPS IP and your remote server starts here. | ||
| + | |||
| + | Following the simple instructions below you should be able to create a IPIP tunnel in under 20 minutes. | ||
| + | |||
| + | ===== Supported Operating Systems ==== | ||
| + | |||
| + | It is possible to use Windows to create, and forward your IPIP tunnel. If you need to protect a Windows server please consider purchasing a KVM plan. | ||
| + | |||
| + | In this document we'll only be covering a Linux IPIP tunnel configuration. | ||
| + | |||
| + | This guide will work 100% on both our KVM, and OpenVZ based plans. | ||
| + | |||
| + | ===== Prerequisites ===== | ||
| + | |||
| + | * iptables installed on your EidolonHost VPS (included already in most cases) | ||
| + | * iproute2 (included with pretty much every recent Linux distribution) | ||
| + | * A kernel with IPIP support (Linux includes this by default - ''ipip'' kernel module) | ||
| + | * A list of ports you need forwarded to your destination | ||
| + | * A EidolonHost VPS (starting as low as $15/yr for our [[http://eidolonhost.com/vps.html|128MB OpenVZ VPS]] or $25/yr for our [[http://eidolonhost.com/vps.html|128MB KVM VPS]]) | ||
| + | * A [[http://eidolonhost.com/features.html|EidolonHost DDoS filtered IP]] ($3.00/m per IP. 209.141.38.x & 209.141.39.x are the current filtered subnets) | ||
| + | |||
| + | |||
| + | ===== Tunnel Setup ===== | ||
| + | |||
| + | First we need to set our tunnel up. | ||
| + | |||
| + | On your EidolonHost VPS please execute the following commands: | ||
| + | |||
| + | <code> | ||
| + | echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf | ||
| + | sysctl -p | ||
| + | iptunnel add ipip1 mode ipip local YOUR_FILTERED_IP remote DESTINATION_SERVER_IP ttl 255 | ||
| + | ip addr add 192.168.168.1/30 dev ipip1 | ||
| + | ip link set ipip1 up | ||
| + | </code> | ||
| + | |||
| + | On the remote server you wish to protect run the following: | ||
| + | |||
| + | <code> | ||
| + | iptunnel add ipip1 mode ipip local DESTINATION_SERVER_IP remote YOUR_FILTERED_IP ttl 255 | ||
| + | ip addr add 192.168.168.2/30 dev ipip1 | ||
| + | ip link set ipip1 up | ||
| + | </code> | ||
| + | |||
| + | Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2. | ||
| + | ===== Test your New IPIP Tunnel with Ping ===== | ||
| + | |||
| + | On your EidolonHost VPS, you should now be able to ping ''192.168.168.2''. | ||
| + | |||
| + | For the sake of completeness, test pinging ''192.168.168.1'' from your destination server. | ||
| + | |||
| + | ===== Setup Source Route Tables ===== | ||
| + | |||
| + | Source route entries are required to make sure data that came in via the IPIP tunnel is sent back out the IPIP tunnel. | ||
| + | |||
| + | Please execute the following commands on the **destination** server. | ||
| + | |||
| + | <code> | ||
| + | echo '100 EidolonHost' >> /etc/iproute2/rt_tables | ||
| + | ip rule add from 192.168.168.0/30 table EidolonHost | ||
| + | ip route add default via 192.168.168.1 table EidolonHost | ||
| + | </code> | ||
| + | |||
| + | **Please note that the echo command only needs to be ran once. The entry will be saved into /etc/iproute2/rt_tables until you remove it manually.** | ||
| + | |||
| + | ===== Initial NAT Entries to Move Data over IPIP Tunnel ===== | ||
| + | |||
| + | NAT is used to pass data over our IPIP and out the other end. | ||
| + | |||
| + | While it would be possible to use a KVM based VPS with a purchased /29 allocation, this guide doesn't cover that. | ||
| + | |||
| + | On your EidolonHost VPS run the following command: | ||
| + | <code> | ||
| + | iptables -t nat -A POSTROUTING -s 192.168.168.0/30 -j SNAT --to-source YOUR_FILTERED_IP | ||
| + | </code> | ||
| + | |||
| + | ===== Test Outbound Connections ===== | ||
| + | |||
| + | On your destination server you can run either of the following commands to see if the tunnel is passing traffic properly: | ||
| + | <code> | ||
| + | curl http://www.cpanel.net/showip.cgi --interface 192.168.168.2 | ||
| + | </code> | ||
| + | |||
| + | <code> | ||
| + | wget http://www.cpanel.net/showip.cgi --bind-address=192.168.168.2 -q -O - | ||
| + | </code> | ||
| + | |||
| + | The IP dumped should be your EidolonHost filtered IP. | ||
| + | |||
| + | ===== Forwarding Ports Over your IPIP Tunnel ===== | ||
| + | |||
| + | To make things easy, we'll forward **all** ports from our filtered IP to the backend server. You can change this rule to only forward certain ports if you like. | ||
| + | |||
| + | Please adjust, and run the following commands on your EidolonHost VPS: | ||
| + | <code> | ||
| + | iptables -t nat -A PREROUTING -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2 | ||
| + | iptables -A FORWARD -d 192.168.168.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
| + | </code> | ||
| + | |||
| + | The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT'd, and matched back properly. | ||
| + | |||
| + | At this point you should be able to connect to ''YOUR_FILTERED_IP'' and the destination port with your application and get passed through the IPIP tunnel without issue. | ||
| + | |||
| + | ===== Restarting your IPIP Tunnel After Rebooting ===== | ||
| + | |||
| + | You can edit ''/etc/rc.local'' with your favourite editor of choice (or WINSCP even) and place all the commands we just ran before the ''exit 0'' at the bottom. | ||
| + | |||
| + | Your distribution of choice (like Debian) may have hooks in ''/etc/network/interfaces'' to bring your IPIP tunnels up at boot time but that's outside the scope of this guide. | ||
ipip_tunnel.txt ยท Last modified: 2017/03/23 09:22 (external edit)
Page Tools
