A GRE (Generic Routing Encapsulation) tunnel is a way to provide a private path between networks. Commonly this is used with DDoS protection services. This works by setting up a GRE tunnel with the DDoS provider to your NodeSpace server. You then restrict access to your NodeSpace server from your DDoS protected IP.

You can setup a GRE tunnel between two Linux hosts. First, check that ip_gre kernel module is installed.

$ sudo modprobe ip_gre
$ lsmod | grep gre

If you see a response, you have ip_gre installed.

We're going to forward traffic through this tunnel using iptables and iproute2. You can install these with:

sudo yum install iptables iproute2

Now on the first server, enter the following:

sudo echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sudo sysctl -p

Now create an interface for the tunnel.

sudo ip tunnel add gre1 mode gre local 198.51.100.1 remote 203.0.113.1 ttl 255
sudo ip addr add 10.0.0.1/30 dev gre1
sudo ip link set gre1 up

Then on your NodeSpace server, do the same but change the IPs.

sudo ip tunnel add gre1 mode gre local 203.0.113.1 remote 198.51.100.1 ttl 255
sudo ip addr add 10.0.0.2/30 dev gre1
sudo ip link set gre1 up

Add in a route on your NodeSpace server to make sure that anything that comes in via the GRE tunnel is routed correctly.

sudo echo '100 GRE' >> /etc/iproute2/rt_tables
sudo ip rule add from 10.0.0.0/30 table GRE
sudo ip route add default via 10.0.0.1 table GRE

On your first server, create the following NAT rule:

iptables -t nat -A POSTROUTING -s 10.0.0.0/30 ! -o gre+ -j SNAT --to-source 198.51.100.1

This will pass data over the GRE tunnel and use the IP address of the first server. You can test this by running the following:

curl http://www.cpanel.net/showip.cgi --interface 10.0.0.2

If you see your first server's IP and not your NodeSpace server's IP, then everything is working correctly.

Now we want to do some port forwarding so we send the right traffic over the GRE tunnel. On your first server, enter:

sudo iptables -A FORWARD -d 10.0.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -s 10.0.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

And to forward specific ports, use this template for each port.

sudo iptables -t nat -A PREROUTING -d 198.51.100.1 -p PROTO -m PROTO --dport PORT -j DNAT --to-destination 10.0.0.2

Replace PROTO and PORT with the appropriate protocol and port. For example, for HTTP port 80:

sudo iptables -t nat -A PREROUTING -d 198.51.100.1 -p TCP -m TCP --dport 80 -j DNAT --to-destination 10.0.0.2

Then finally, we need to make these rules persist a reboot. To do this, edit /etc/rc.local and add all the commands entered, excluding any command that starts with "echo" before the line exit 0 in the file.