|
5 | 5 | order: 12 |
6 | 6 | --- |
7 | 7 |
|
8 | | -import { Badge } from "~/components"; |
| 8 | +import { Badge, Tabs, TabItem } from "~/components"; |
9 | 9 |
|
10 | 10 | You can forward [HTTP](/cloudflare-one/policies/gateway/initial-setup/http/) and [network](/cloudflare-one/policies/gateway/initial-setup/network/) traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, GRE tunnel, or IPsec tunnel. When a user connects to the Gateway proxy, Gateway will accept the connection and establish a new, separate connection to the origin server. |
11 | 11 |
|
@@ -66,6 +66,70 @@ The ICMP proxy forwards traffic for diagnostic tools such as `ping` and `tracero |
66 | 66 | Gateway cannot log or filter ICMP traffic. |
67 | 67 | ::: |
68 | 68 |
|
| 69 | +#### Allow ICMP traffic through `cloudflared` |
| 70 | + |
| 71 | +To use the ICMP proxy with Cloudflare Tunnel, you may need to configure the `cloudflared` host to allow ICMP traffic through `cloudflared`. |
| 72 | + |
| 73 | +<Tabs> <TabItem label="Linux" icon="linux"> |
| 74 | + |
| 75 | +1. Ensure that `ping_group_range` includes the Group ID (GID) of the user running `cloudflared`: |
| 76 | + |
| 77 | + a. Find the user that owns the `cloudflared` process: |
| 78 | + |
| 79 | + ```sh |
| 80 | + ps -aux | grep cloudflared |
| 81 | + ``` |
| 82 | + |
| 83 | + ```sh output |
| 84 | + johndoe 407 0.8 1.7 1259904 35296 ? Ssl 21:02 0:00 /usr/bin/cloudflared --no-autoupdate tunnel run --token eyJhI... |
| 85 | + ``` |
| 86 | + |
| 87 | + b. Get the Group ID of the `cloudflared` user: |
| 88 | + |
| 89 | + ```sh |
| 90 | + id -g johndoe |
| 91 | + ``` |
| 92 | + |
| 93 | + ```sh output |
| 94 | + 10001 |
| 95 | + ``` |
| 96 | + |
| 97 | + c. Determine the Group IDs that are allowed to use ICMP: |
| 98 | + |
| 99 | + ```sh |
| 100 | + sudo sysctl net.ipv4.ping_group_range |
| 101 | + ``` |
| 102 | + |
| 103 | + ```sh output |
| 104 | + net.ipv4.ping_group_range= 0 10000 |
| 105 | + ``` |
| 106 | + |
| 107 | + d. Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update `ping_group_range`: |
| 108 | + |
| 109 | + ```sh |
| 110 | + echo 0 10001 | sudo tee /proc/sys/net/ipv4/ping_group_range |
| 111 | + ``` |
| 112 | + |
| 113 | + e. To make the change persist on reboot, update your `systcl` parameters: |
| 114 | + |
| 115 | + ```sh |
| 116 | + echo "net.ipv4.ping_group_range = 0 10001" | sudo tee -a /etc/sysctl.d/99-cloudflared.conf |
| 117 | + ``` |
| 118 | + |
| 119 | +2. If you are running multiple network interfaces (for example, `eth0` and `eth1`), configure `cloudflared` to use the external Internet-facing interface: |
| 120 | + |
| 121 | + ```sh |
| 122 | + cloudflared tunnel run --icmpv4-src <IP of primary interface> |
| 123 | + ``` |
| 124 | + |
| 125 | +</TabItem> <TabItem label="Docker" icon="seti:docker"> |
| 126 | + |
| 127 | +In your environment, modify the `ping_group_range` parameter to include the Group ID (GID) of the user running `cloudflared`. |
| 128 | + |
| 129 | +By default the [`cloudflared` Docker container](https://github.com/cloudflare/cloudflared/blob/master/Dockerfile#L29C6-L29C13) executes as a user called `nonroot` inside of the container. `nonroot` is a specific user that exists in the [base image](https://github.com/GoogleContainerTools/distroless/blob/859eeea1f9b3b7d59bdcd7e24a977f721e4a406c/base/base.bzl#L8) we use, and its Group ID is hardcoded to 65532. |
| 130 | + |
| 131 | +</TabItem> </Tabs> |
| 132 | + |
69 | 133 | ## Turn on the Gateway proxy |
70 | 134 |
|
71 | 135 | 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. |
|
0 commit comments