Two LAN (office network-IDC) Security Interoperability Scheme 2:by GRE and Linux server& in-depth understanding of GRE

"First, demand description"
office network and IDC two LAN (or, any two different LAN), isolated from each other. But in the daily operation and maintenance, research and development process, need to visit IDC network in the office network. If all through the public network IP around, neither convenient, nor safe. If you pull the line, is the most stable and reliable way. But as a technology dick, want to save money for the company (which can also be seen as part of the technical value), so plan to use other options (of course, free programs, or, in this case, use the existing resources of the scheme. The server, of course, also needs to spend money, but you can use the existing server to complete this scenario) to address this requirement.

"Second, background introduction"
office network has lan192.168.1.0/24, and through the fixed public network IP Internet;
IDC has LAN10.1.1.0/24, and has multiple public IP, both through the public network IP interconnection
This is a problem: how the office network can directly access IDC intranet, at least ordinary users seem to have direct access to the computer room intranet. Do you let each user dial a VPN? Very sad urge, still not good management.
Here are two scenarios:
1, point-to-end VPN scheme (after the successful erection, you can set as an end-to-end scenario), before writing an article, specifically, the "Startup office network security and Stability access to the computer room network solution 1:byvpn"http://h2ofly.blog.51cto.com/6834926/1529888
2, GRE program. This scenario is recommended if the company has an extra fixed public IP or the router itself supports GRE. Why No explanation, haha. You can compare and then use two more options to feel it.
    
"Third, implementation of the programme"
With so much to say, the impression is deeper under the actual operation.
office network router (Linux server implementation): LAN ip:192.168.1.254, public IP180.1.1.1 configuration

cat/usr/local/admin/gre.sh# and add the script to boot

#!/bin/bashmodprobe ip_gre# loading GRE module ip tunnel add  office mode gre remote 110.2.2.2 local 180.1.1.1 ttl 255# Create a tunnel name called Office Device (customizable), using Gre mode. Specifies that the remote IP is 121.10.10.10, and the local IP is 180.1.1.1. To improve security, you can configure iptables, the public IP only receives packets from 121.10.10.10, and the others are dropped. ip link set office up# Start Device office ip link set office up  mtu 1500# Setting MTU to 1500ip addr add 192.192.192.2/24 dev office # Add ip192.192.192.2echo 1 > /proc/sys/net/ipv4/ip_forward  #让服务器支持转发ip  route for office  add 10.1.1.0/24 dev office  #添加路由, meaning: to 10.1.1.0/24 's package, the Office device is responsible for forwarding Iptables -t  nat -a postrouting -d 10.1.1.0/24 -j snat --to 192.192.192.2# Otherwise, 192.168.1.x machine Access 10.1.1.x network segment does not pass 

< STRONG>IDC Router (Linux server implementation): LAN ip:10.1.1.1, public IP 110.2.2.2 configuration
cat/usr/local/admin/gre.sh# and add the script to boot

#!/bin/bashmodprobe ip_greip tunnel add office  mode gre remote 180.1.1.1 local 110.2.2.2 ttl 255ip link  set office upip link set office up mtu 1500ip addr add  192.192.192.1/24 dev office# Add IP192.192.192.1ECHO 1 > /PROC/SYS/NET/IPV4/IP to Office _forwardip route add 192.168.1.0/24 dev officeiptables -t nat -a  postrouting -s 192.192.192.2 -d 10.1.0.0/16 -j snat --to 10.1.1.1# Otherwise 192.168.1.X machine Access 10.1.1.x network segment does not pass Iptables -a forward -s 192.192.192.2 -m state  --state new -m tcp -p tcp --dport 3306 -j drop # Prohibit direct access to 3306 on the line to prevent the intranet from being broken 

Note: To prevent accidental factor gre turnel from breaking off, you can study the monitoring scripts yourself. When you detect a different network, run the script (notice that device office exists, etc. between runs), which is not described in detail here. Please do it yourself.
"IV, Test Effect"

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/47/7A/wKiom1P7GzSBqEQ5AAHt2qVBP8Y262.jpg "style=" float: none; "title=" Ipconfig.png "alt=" Wkiom1p7gzsbqeq5aaht2qvbp8y262.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/47/7B/wKioL1P7HEzivwJxAAEM__BF-Jc363.jpg "style=" float: none; "title=" Ping.png "alt=" Wkiol1p7hezivwjxaaem__bf-jc363.jpg "/>

"five, in-depth understanding of GRE"
      After operation, you need to be more familiar with the background and theory to be able to handle the problem when you encounter anomalies.
     gre (Generic Routing Protocol Encapsulation) protocol, Presented to the IETF by companies such as Cisco and Net-smiths in 1994, it encapsulates the datagram of some Network layer protocol (IP). It specifies how a network protocol can be used to encapsulate a different network protocol, and many network devices support the protocol. To put it bluntly, the GRE encapsulates a common packet (such as an IP packet) and installs a generic IP packet routing route, which is equivalent to encapsulating a layer of GRE packets outside the IP packet. In this example, there is actually a layer of public IP packets on the outside of the GRE packet.


      General GRE Turnel is established between multiple network devices (typically routers). Because Linux services have routing and forwarding capabilities, when you lack a professional routing device, you can use a Linux server to achieve GRE Turnel, which also shows the power of Linux (in fact, the vast majority of network devices using UNIX or Linux systems)  

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/47/7B/wKioL1P7HJWCxUeIAAKWtYYWdHM930.jpg "title=" Tuopu.png "alt=" wkiol1p7hjwcxueiaakwtyywdhm930.jpg "/>

My understanding of GRE is as follows:
          (0) The Turnel of GRE
1. This process is the process of establishing turnel on both sides.
          (1) LAN routing process
1, host A to send a source of 192.168.1.2, the purpose of 10.1.1.2 package
          (2) packaging process
1, depending on the internal network, may be your default route gateway to route it to 192.168.1.254
2, 192.168.1.254 the first package package, increase the GRE header, the purpose of the package is the address 192.192.192.1 and the source address 192.192.192.2.
3, 192.168.1.254 2nd time package, increase the public network of Baotou (otherwise on the public Internet can not be routed), the purpose of the package address 110.2.2.2 and source address 180.1.1.1.

4,192.168.1.254 all the packets to 10.1.1.0/24, the address is converted from 192.192.192.2 (snat)

          (3) Public network routing process
1. After n routing devices, the packet is eventually routed to 110.2.2.2
          (4) Unpacking process
1, b end of the router detects that it is to reach their own IP, began unpacking
2. After unpacking, the GRE protocol is found, and the package is further dismantled.
3, after unpacking found that the destination is not their own intranet IP, found themselves local did Snat, will be to the source IP replaced with 10.1.1.1
          (5) LAN Routing
1, in fact, from the 10.1.1.1, arrived at the destination for the 10.1.1.2 package, without routing, directly in the LAN broadcast. The 10.1.1.2 machine determines that it is sent to its own package and is received. And then processed it further.

This article is from "H2O's Operation & Development Road" blog, reprint please contact the author!

Two LAN (office network-IDC) Security Interoperability Scheme 2:by GRE and Linux server& in-depth understanding of GRE