route traffic through IPIP tunnels

Host A --internet-- Host B --internet ipip tunnel-- Host C

Host A: 1.1.1.1 Host B: 2.2.2.2 Host C: 3.3.3.3

Ubuntu 18.04.

Host B ipip tunnel config

ip tunnel add tunnel0 mode ipip remote 3.3.3.3 local 2.2.2.2
ip addr add 10.0.0.0/32 dev tunnel0
ip link set tunnel0 up
ip route add 10.0.0.1/32 dev tunnel0

Host C ipip tunnel config

ip tunnel add tunnel0 mode ipip remote 2.2.2.2 local 3.3.3.3
ip addr add 10.0.0.0/32 dev tunnel0
ip link set tunnel0 up
ip route add 10.0.1.1/32 dev tunnel0

Also

sysctl net.ipv4.ip_forward=1

Tunnel is up, both hosts can ping the remote end's local IP (10.x).

I'm trying to forward traffic from Host A to Host B on port 6300 to Host C.

We can't put a route from Host C to 1.1.1.1 via Host B because Host A's ip can change to anything.

We can't put a default route from Host C to Host B because not all traffic comes from Host B.

Basically I want Host C to just reply to any incoming traffic via the interface through which traffic came.

Traffic from 1.1.1.1 came through tunnel0? Send the reply to tunnel0. Traffic from 1.1.1.1 came through xxx0? Send the reply to xxx0. Traffic from x.y.z.w came through interface xxx0? Send the reply to xxx0.

NAT is forbidden. Filtering is done on Host C, thus host C must be aware of Host A's IP.

On Host B I tried

iptables -A FORWARD -i eth0 -o tunnel0 -j ACCEPT
iptables -A FORWARD -i tunnel0 -o eth0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 6300 --jump DNAT --to-destination 10.0.0.1

but that did nothing. Traffic from 1.1.1.1 doesn't go through tunnel0.

I don't even know what I should be investigating. Forwarding? Routing? iptables? Marking? Any pointers on what I should work on would be greatly appreciated!

EDIT Added those commands on Host B

sysctl net.ipv4.conf.eth0.forwarding=1
sysctl net.ipv4.conf.tunnel0.forwarding=1

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6300 -j DNAT --to-destination 10.0.0.1:6300
iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 6300 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

and now traffic from Host A goes into the tunnel to Host C! Great progress!

But there's no return traffic.

I tried adding this into Host C in order to source route packets

ip rule add table 11 from 10.0.0.1/32 dev tunnel0
ip route add table 11 to default via 10.0.0.1 dev tunnel0

but no luck. Any obvious mistake in the commands I've entered? -Thanks

Cracked it.

Host B

sysctl net.ipv4.ip_forward=1
sysctl net.ipv4.conf.all.rp_filter=0
sysctl net.ipv4.conf.tunnel0.forwarding=1

ip tunnel add tunnel0 mode ipip remote 3.3.3.3 local 2.2.2.2
ip addr add 10.0.1.1/32 dev tunnel0
ip link set tunnel0 up
ip route add 10.0.0.1/32 dev tunnel0

iptables -A FORWARD -i eth0 -o tunnel0 -j ACCEPT
iptables -A FORWARD -i tunnel0 -o eth0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6300 -j DNAT --to-destination 10.0.0.1:6300
iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 6300 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Host C

sysctl net.ipv4.ip_forward=1
sysctl net.ipv4.conf.all.rp_filter=0
sysctl net.ipv4.conf.tunnel0.forwarding=1

ip tunnel add tunnel0 mode ipip local 3.3.3.3 remote 2.2.2.2
ip addr add 10.0.0.1/32 dev tunnel0
ip link set tunnel0 up
ip route add 10.0.1.1/32 dev tunnel0

ip rule add from 10.0.0.1 lookup 11
ip route add table 11 to default via 10.0.0.1 dev tunnel0

Now all traffic sent from A to B on port 6300 is forwarded transparently to C. C sees traffic is coming from A and sends traffic back to B.