{"id":93,"date":"2004-04-06T21:33:32","date_gmt":"2004-04-06T21:33:32","guid":{"rendered":"https:\/\/143-42-55-146.ip.linodeusercontent.com\/?p=93"},"modified":"2004-04-06T21:33:32","modified_gmt":"2004-04-06T21:33:32","slug":"gre-tunel","status":"publish","type":"post","link":"https:\/\/nax.cz\/?p=93","title":{"rendered":"GRE TUNEL"},"content":{"rendered":"<p>P\u0139\u0099i p\u0139\u0099ipojeni Ondry Tesa\u0139\u0099e je\u0139\u0104t\u00c4\u009b z\u0139\u017bst\u0102\u0104val jeden nevy\u0139\u0099e\u0139\u0104en\u0102\u02dd probl\u0102\u0160m: jak mu internet naroutovat. Ono toti\u0139\u017e Awe m\u0102\u0104 u sebe default routy kdo v\u0102\u00ad kam a a\u0139\u017e teprve u mne je na bluehillz. Prozat\u0102\u00adm jsem to narychlo vy\u0139\u0099e\u0139\u0104il pomoc\u0102\u00ad proxy serveru u m\u00c4\u009b na routeru. Konkr\u0102\u0160tn\u00c4\u009b to byl <a href=\"http:\/\/www.squid-cache.org\/\">squid<\/a>, co\u0139\u017e je proxy cache. V podstat\u00c4\u009b poslouch\u0102\u0104 na n\u00c4\u009bjak\u0102\u0160m portu a v\u0139\u0104echny po\u0139\u017eadavky a pokud je nem\u0102\u0104 u\u0139\u017e z d\u0139\u0099\u0102\u00adv\u00c4\u009bj\u0139\u0104ka na disku, tak je po\u0139\u0104le d\u0102\u0104l. Nev\u0102\u02ddhodou tohoto \u0139\u0099e\u0139\u0104en\u0102\u00ad je, \u0139\u017ee pot\u0139\u0099ebujete aby klientsk\u0102\u0104 aplikace proxy podporovala. Nap\u0139\u0099\u0102\u00adklad webov\u0102\u0160 prohl\u0102\u00ad\u0139\u017ee\u00c4\u008de to snad podporuj\u0102\u00ad v\u0139\u0104echny, ale t\u0139\u0099eba m\u0102\u0104lokterou hru si zahrajete p\u0139\u0099es proxy.<\/p>\n<p>Proto jsem se v\u00c4\u008dera rozhodl rozjet ten tunel mezi mnou a Ondrou. No a v\u0139\u017bbec to nebylo t\u00c4\u009b\u0139\u017ek\u0102\u0160. Konkr\u0102\u0160tn\u00c4\u009b jsem pou\u0139\u017eil kap\u0102\u0104nek jednodu\u0139\u0104\u0139\u0104\u0102\u00ad gre tunel, co\u0139\u017e je ne\u0139\u0104ifrovan\u0102\u02dd. V\u0139\u0104e jsem d\u00c4\u009blal podle <a href=\"http:\/\/www.root.cz\/clanek\/1725\">\u00c4\u008dl\u0102\u0104nku na rootu<\/a> a v podstat\u00c4\u009b se d\u0102\u0104 \u0139\u0099\u0102\u00adct, \u0139\u017ee jsem byl za hodinku hotov. Tak p\u0139\u0099edn\u00c4\u009b v j\u0102\u0104d\u0139\u0099e pot\u0139\u0099ebujete podporu gre. Najdete j\u0102\u00ad v sekci s\u0102\u00adt\u0102\u00ad, samoz\u0139\u0099ejm\u00c4\u009b. Broadcast jsem neza\u0139\u0104krtnul a funguje to, ale \u0102\u015fpln\u00c4\u009b jist\u0102\u02dd jestli v n\u00c4\u009bkter\u0102\u02ddch p\u0139\u0099\u0102\u00adpadech pot\u0139\u0099eba nen\u0102\u00ad si nejsem. Pak jsem pokra\u00c4\u008doval takhle:<\/p>\n<p><strong>modprobe ip_gre<\/strong><br \/>\n<strong>ip tunnel add tunel0 mode gre remote 10.27.73.13 local 10.27.0.8<\/strong><br \/>\n<strong>ifconfig tunel0 up 10.27.72.101 netmask 255.255.255.252<\/strong><\/p>\n<p>U Ondry jsem postupoval zrcadlov\u00c4\u009b, akor\u0102\u0104t \u0139\u017ee jsem si potom je\u0139\u0104t\u00c4\u009b pohr\u0102\u0104l s t\u0102\u00adm routov\u0102\u0104n\u0102\u00adm.<\/p>\n<p>Tak\u0102\u0160 je dobr\u0102\u0160 nezapomenout na p\u0139\u0099\u0102\u00adpadn\u0102\u02dd NAT na to\u0139\u017e jsem samoz\u0139\u0099ejm\u00c4\u009b nejd\u0139\u0099\u0102\u00adv u Ondry zapomn\u00c4\u009bl. Ale snad u\u0139\u017e mu to chod\u0102\u00ad.<\/p>\n<p>update 1:20<br \/>\nNo a\u0139\u017e tak moc mu to zase nechodilo. Teda pingalo to, dokonce kdy\u0139\u017e zkou\u0139\u0104el telnetem na po\u0139\u0104tu, tak taky v pohod\u00c4\u009b a stejn\u00c4\u009b tak mu to nechalo korektn\u00c4\u009b po\u0139\u0104tu odeslat, ale jak cht\u00c4\u009bl po\u0139\u0104tu st\u0102\u0104hnout a nebo t\u0139\u0099eba v exploreru vypnul tu proxy, tak to nic nest\u0102\u0104hlo.<\/p>\n<p>P\u00c4\u009bkn\u00c4\u009b m\u00c4\u009b to potr\u0102\u0104pilo ne\u0139\u017e jsem p\u0139\u0099i\u0139\u0104el na to \u00c4\u008d\u0102\u00adm to je. Navedl mi k tomu z\u0102\u0104znam z tcpdumpu kdy\u0139\u017e se tu po\u0139\u0104tu pokou\u0139\u0104el st\u0102\u0104hnout. Objevilo se tam:<\/p>\n<p>23:30:49.872278 p2.volny.cz.pop3 > 10.27.72.102.1142: . 0:1460(1460) ack 1 win 58400 (DF)<br \/>\n23:30:49.875594 naxroutr > p2.volny.cz: icmp: 10.27.72.102 unreachable &#8211; need to frag (mtu 1476) [tos 0xc0]<\/p>\n<p>Nejd\u0139\u0099\u0102\u00adve jsem v\u0139\u017bbec netu\u0139\u0104il kter\u0102\u0104 bije a pro\u00c4\u008d sakra ten voln\u0102\u02dd pos\u0102\u00adl\u0102\u0104 icmp po\u0139\u017eadavek? Samoz\u0139\u0099ejm\u00c4\u009b jsem docela rychlo zjistil \u0139\u017ee ta 102 je vid\u00c4\u009bt jen z routeru, ale to je docela logick\u0102\u0160, proto\u0139\u017ee ob\u00c4\u009b ty s\u0102\u00adt\u00c4\u009b byly des\u0102\u00adtkov\u0102\u0160 a tedy ten po\u00c4\u008d\u0102\u00adta\u00c4\u008d u Ondry nev\u0102\u00ad jestli to m\u0102\u0104 poslat p\u0139\u0099es tunel a nebo norm\u0102\u0104ln\u00c4\u009b kdy\u0139\u017e mu to p\u0139\u0099i\u0139\u0104lo tunelem od des\u0102\u00adtkov\u0102\u0160 IP.<\/p>\n<p>No ale nakonec to bylo pom\u00c4\u009brn\u00c4\u009b jednoduch\u0102\u0160. Sta\u00c4\u008dilo si po\u0139\u0099\u0102\u0104dn\u00c4\u009b p\u0139\u0099e\u00c4\u008d\u0102\u00adst z\u0102\u0104v\u00c4\u009br o velikosti paket\u0139\u017b v tom \u00c4\u008dl\u0102\u0104nku zm\u0102\u00adn\u00c4\u009bn\u0102\u0160m naho\u0139\u0099e. Ono toti\u0139\u017e ten icmp po\u0139\u017eadavek <a href=\"http:\/\/groups.google.com\/groups?hl=cs&#038;lr=&#038;ie=UTF-8&#038;oe=UTF-8&#038;threadm=b698sb%242389%241%40FreeBSD.csie.NCTU.edu.tw&#038;rnum=23&#038;prev=\/groups%3Fq%3Dicmp:%2Bunreachable%2B-%2Bneed%2Bto%2Bfrag%2Bmtu%26hl%3Dcs%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26start%3D20%26sa%3DN\">need to frag<\/a> znamen\u0102\u0104, \u0139\u017ee koncov\u0102\u02dd server dost\u0102\u0104v\u0102\u0104 p\u0139\u0099\u0102\u00adli\u0139\u0104 velk\u0102\u0160 packety a je pot\u0139\u0099eba aby pos\u0102\u00adlal men\u0139\u0104\u0102\u00ad. Nejpikantn\u00c4\u009bj\u0139\u0104\u0102\u00ad na tom je, \u0139\u017ee ty icmp packety asi zahazoval jeden z m\u0102\u02ddch firewall\u0139\u017b \ud83d\ude09 Budu se na to je\u0139\u0104t\u00c4\u009b muset pod\u0102\u00advat a tenhle icmp po\u0139\u017eadavek povolit. Zat\u0102\u00adm m\u0102\u0104m toti\u0139\u017e z icmp protokolu povolen jen echo.<\/p>\n<p>Ten \u0139\u0099\u0102\u0104dek p\u0139\u0099\u0102\u00admo z toho \u00c4\u008dl\u0102\u0104nku pro firewall mi nejd\u0139\u0099\u0102\u00adv nefungoval, ale pak mn\u00c4\u009b napadlo sn\u0102\u00ad\u0139\u017eit tu velikost na 1000 a najednou se to rozeb\u00c4\u009bhlo. Probl\u0102\u0160m bylo, \u0139\u017ee tu velikost paket\u0139\u017b nav\u0102\u00adc je\u0139\u0104t\u00c4\u009b zv\u00c4\u009bt\u0139\u0104oval nejsp\u0102\u00ad\u0139\u0104 NAT u Ondry tesa\u0139\u0099e, s \u00c4\u008d\u0102\u00adm\u0139\u017e ten \u00c4\u008dl\u0102\u0104nek samoz\u0139\u0099ejm\u00c4\u009b po\u00c4\u008d\u0102\u00adtat nemohl (kdo by si taky na konci tunelu s\u0102\u00ad\u0139\u013d NAToval, \u0139\u017ee ;).<\/p>\n<p><strong>$IPTABLES -A FORWARD -p tcp -o $TUNEL_IFACE &#8211;tcp-flags SYN,RST SYN -m tcpmss &#8211;mss 1001: -j TCPMSS &#8211;set-mss 1000<\/strong><\/p>\n<p>Samoz\u0139\u0099ejm\u00c4\u009b pot\u0139\u0099ebujete p\u0139\u0099\u0102\u00adslu\u0139\u0104n\u0102\u02dd modul pro kernel.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>P\u0139\u0099i p\u0139\u0099ipojeni Ondry Tesa\u0139\u0099e je\u0139\u0104t\u00c4\u009b z\u0139\u017bst\u0102\u0104val jeden nevy\u0139\u0099e\u0139\u0104en\u0102\u02dd probl\u0102\u0160m: jak mu internet naroutovat. Ono toti\u0139\u017e Awe m\u0102\u0104 u sebe default routy kdo v\u0102\u00ad kam a a\u0139\u017e teprve u mne je na bluehillz. Prozat\u0102\u00adm jsem to narychlo vy\u0139\u0099e\u0139\u0104il pomoc\u0102\u00ad proxy serveru u m\u00c4\u009b na routeru. Konkr\u0102\u0160tn\u00c4\u009b to byl squid, co\u0139\u017e je proxy cache. V podstat\u00c4\u009b poslouch\u0102\u0104 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[],"class_list":["post-93","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts\/93","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=93"}],"version-history":[{"count":0,"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts\/93\/revisions"}],"wp:attachment":[{"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=93"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=93"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}