Differences
This shows you the differences between two versions of the page.
— | ipip_tunnel [2022/10/13 09:11] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | //[This how-to tutorial was created by EidolonHost. Please consider EidolonHost for your [[http:// | ||
+ | ====== Tutorial: IPIP tunneling from your EidolonHost DDoS Filtered VPS IP ====== | ||
+ | |||
+ | ==== What is a IPIP tunnel? ==== | ||
+ | |||
+ | Much like a proxy, a IPIP tunnel allows you to pass traffic from your EidolonHost VPS including DDoS filtering to another remote destination. | ||
+ | |||
+ | IPIP tunnels allow **all traffic** through, not just HTTP. With a IPIP tunnel you can serve, and deliver any type of content from any type of server (audio, FTP, SSH, SCP, video, etc.). | ||
+ | |||
+ | ==== What can your use a IPIP tunnel for? ==== | ||
+ | |||
+ | IPIP tunneling is very handy when you want to use our DDoS filtering services to protect services that are too large to host with us (I.e. game servers, Java applications, | ||
+ | |||
+ | **IPIP tunneling is also the only tunneling method that OVH supports in their included kernels.** | ||
+ | |||
+ | Don't have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to [[redirect_traffic|redirect traffic]] to your remote server. | ||
+ | |||
+ | ==== IPIP Tunnel How-to Tutorial Begins Here ===== | ||
+ | |||
+ | Our how-to tutorial to setup a IPIP tunnel between EidolonHost DDoS filtered VPS IP and your remote server starts here. | ||
+ | |||
+ | Following the simple instructions below you should be able to create a IPIP tunnel in under 20 minutes. | ||
+ | |||
+ | ===== Supported Operating Systems ==== | ||
+ | |||
+ | It is possible to use Windows to create, and forward your IPIP tunnel. | ||
+ | |||
+ | In this document we'll only be covering a Linux IPIP tunnel configuration. | ||
+ | |||
+ | This guide will work 100% on both our KVM, and OpenVZ based plans. | ||
+ | |||
+ | ===== Prerequisites ===== | ||
+ | |||
+ | * iptables installed on your EidolonHost VPS (included already in most cases) | ||
+ | * iproute2 (included with pretty much every recent Linux distribution) | ||
+ | * A kernel with IPIP support (Linux includes this by default - '' | ||
+ | * A list of ports you need forwarded to your destination | ||
+ | * A EidolonHost VPS (starting as low as $15/yr for our [[http:// | ||
+ | * A [[http:// | ||
+ | |||
+ | |||
+ | ===== Tunnel Setup ===== | ||
+ | |||
+ | First we need to set our tunnel up. | ||
+ | |||
+ | On your EidolonHost VPS please execute the following commands: | ||
+ | |||
+ | < | ||
+ | echo ' | ||
+ | sysctl -p | ||
+ | iptunnel add ipip1 mode ipip local YOUR_FILTERED_IP remote DESTINATION_SERVER_IP ttl 255 | ||
+ | ip addr add 192.168.168.1/ | ||
+ | ip link set ipip1 up | ||
+ | </ | ||
+ | |||
+ | On the remote server you wish to protect run the following: | ||
+ | |||
+ | < | ||
+ | iptunnel add ipip1 mode ipip local DESTINATION_SERVER_IP remote YOUR_FILTERED_IP ttl 255 | ||
+ | ip addr add 192.168.168.2/ | ||
+ | ip link set ipip1 up | ||
+ | </ | ||
+ | |||
+ | Please note the first line of each changes to mark what IP to use locally and which remotely. The 2nd line documents each end point. In a /30, 2 IP's are usable: .1 and .2. | ||
+ | ===== Test your New IPIP Tunnel with Ping ===== | ||
+ | |||
+ | On your EidolonHost VPS, you should now be able to ping '' | ||
+ | |||
+ | For the sake of completeness, | ||
+ | |||
+ | ===== Setup Source Route Tables ===== | ||
+ | |||
+ | Source route entries are required to make sure data that came in via the IPIP tunnel is sent back out the IPIP tunnel. | ||
+ | |||
+ | Please execute the following commands on the **destination** server. | ||
+ | |||
+ | < | ||
+ | echo '100 EidolonHost' | ||
+ | ip rule add from 192.168.168.0/ | ||
+ | ip route add default via 192.168.168.1 table EidolonHost | ||
+ | </ | ||
+ | |||
+ | **Please note that the echo command only needs to be ran once. The entry will be saved into / | ||
+ | |||
+ | ===== Initial NAT Entries to Move Data over IPIP Tunnel ===== | ||
+ | |||
+ | NAT is used to pass data over our IPIP and out the other end. | ||
+ | |||
+ | While it would be possible to use a KVM based VPS with a purchased /29 allocation, this guide doesn' | ||
+ | |||
+ | On your EidolonHost VPS run the following command: | ||
+ | < | ||
+ | iptables -t nat -A POSTROUTING -s 192.168.168.0/ | ||
+ | </ | ||
+ | |||
+ | ===== Test Outbound Connections ===== | ||
+ | |||
+ | On your destination server you can run either of the following commands to see if the tunnel is passing traffic properly: | ||
+ | < | ||
+ | curl http:// | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | wget http:// | ||
+ | </ | ||
+ | |||
+ | The IP dumped should be your EidolonHost filtered IP. | ||
+ | |||
+ | ===== Forwarding Ports Over your IPIP Tunnel ===== | ||
+ | |||
+ | To make things easy, we'll forward **all** ports from our filtered IP to the backend server. You can change this rule to only forward certain ports if you like. | ||
+ | |||
+ | Please adjust, and run the following commands on your EidolonHost VPS: | ||
+ | < | ||
+ | iptables -t nat -A PREROUTING -d YOUR_FILTERED_IP -j DNAT --to-destination 192.168.168.2 | ||
+ | iptables -A FORWARD -d 192.168.168.2 -m state --state NEW, | ||
+ | </ | ||
+ | |||
+ | The first rule sets up the actual port forwarding and the second rule makes sure that connections get NAT'd, and matched back properly. | ||
+ | |||
+ | At this point you should be able to connect to '' | ||
+ | |||
+ | ===== Restarting your IPIP Tunnel After Rebooting ===== | ||
+ | |||
+ | You can edit ''/ | ||
+ | |||
+ | Your distribution of choice (like Debian) may have hooks in ''/ |