1

I have to collect data from a number (>1000) of devices whose only authentication/authorization is via the source IP address connecting to them. These are network devices whose configuration is relatively static, so changing it regularly or in some automated fashion isn't a feasible solution.

I've been working with my load balancing team to try to send all of the traffic from my hosts through the load balancer, but so far our (not working/feasible) solution involves an iptables rule to do NAT on the host running the collector software to route traffic to the load balancer. The problem is that because it's doing NAT, the destination address gets rewritten, so the load balancer has no idea of what the real destination IP should be.

The command I used was this:

iptables -t nat -A OUTPUT -p tcp --dport <port> -j DNAT —to-destination <ip>:<port>

I'm not familiar enough with iptables/iproute2 to know what exactly to do in this situation. I feel like this is probably pretty easy to do with a tunnel of some sort, but I'm hoping for a solution where the load balancer configuration can be static and we can spin up collector hosts and just run some command to route the traffic accordingly.

This definitely isn't my area of expertise and I've probably left out some information so please let me know if there's more info that you need to know. Thanks for any help anyone can provide.

Kevin Doherty
  • 11
  • 1
  • You need to better explain the setup. Show how the devices are connected. Is this load balancer the default gateway for all devices? Where did you execute this NAT command: on one device or gateway/load balancer? – Khaled Mar 12 '17 at 08:06
  • The picture is not clear from your question: who originates the communication: device or collector ? what protocol is used to collect ? etc. – alexlev2004 Mar 12 '17 at 08:00
  • Your explanation of the setup is very unclear,but I guess you should look at setting up a route instead of that NAT rule. Probably something like `ip route add via `. – Henrik supports the community Mar 12 '17 at 09:00
  • What kind of protocol are you using for the data collection? – Tero Kilkanen Mar 12 '17 at 12:28
  • This is using IPDR/SP as the protocol. The collector initiates the connection, the device it's connecting to is listening for connections. If it receives a connection from a device not on its whitelist of IPs, it sends an IPDR/SP error message and disconnects. – Kevin Doherty Mar 13 '17 at 02:28
  • The load balancer is not the default gateway; if it were I think I wouldn't need anything special on the collector host The NAT command in question was executed on the collector host. – Kevin Doherty Mar 13 '17 at 02:28

1 Answers1

0

You're using DNAT when you want to just change the source IP? In which case you actually want to use SNAT.

Robo
  • 171
  • 3