GRE Tunnels and UFW
Today I wrote an Ansible playbook to set up an environment for a docker demo I
will be giving shortly.
In the demo I will be using three hosts, and I want the containers to be able
to speak to each other across hosts.
To this end, I’m using Open vSwitch. The setup is
quite straight forward, set up the bridge, get the meshed GRE tunnels up and off you
go.
I first set this up in a lab, with firewalls disabled. But knowing that
I will give the demo on public infrastructure, I still wrote the play
to allow everything on a particular interface (an isolated cloud-network)
through UFW.
When I ran my playbook against a few cloud servers, the containers couldn’t
talk to each other on account of the GRE tunnels not working.
So I enabled logging in UFW, and soon started seeing these types of entries
1 2 3 |
|
Upon checking which rule actually dropped the packets (iptables -L -nv
), it
transpired that the culprit was
1 2 |
|
It turns out that a
change in the 3.18 kernel and onwards means
that unless either of the nf_conntrack_pptp
or nf_conntrack_proto_gre
modules are loaded, any GRE packets will be marked as INVALID, as opposed to
NEW and subsequently ESTABLISHED.
So in order to get openvswitch working with UFW, there are two solutions; Either explicitly allow protocol 47, or load one of the aforementioned kernel modules.
Should you go for the former solution, this is the rule you need to beat to the punch:
1 2 3 4 |
|
with -A ufw-before-input -p 47 -i $iface -j ACCEPT