iptables redirect udp syslog to another IP address Not forwarding

Question

I have a goofy problem. I am putting in a new syslog collection server in a new facility. We have many different types of devices that we are collecting syslogs on the same port. So I have to redirect the individual IP to a new IP address. This is a temporary solution till we have the manpower to log into each device and create the needed change within the individual device. The problem is that some of the incoming IP's that we are redirecting work. Some dont.

What I am trying to do is the following Y.Y.Y.Y:514 forward to X.X.X.X:514

I have a iptable rule in the for allowing source 74.93.xxx.xxx destination 208.67.xxx.xxx destination port 514. Then I have a prerouting with the following information iptables -t nat -A PREROUTING -i eth0 -s 74.93.xxx.xxx -p udp --dport 514 -j DNAT --to-destination 209.173.xxx.xxx:514 -m comment --comment BAC:NameY

I can see from my iptables view that 169M has passed in, here is that output view

[root@XXXXX ~]# iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 79M packets, 29G bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     572K  169M ACCEPT     udp  --  eth0   *       74.93.xxx.xxx        208.67.xxx.xxx      udp dpt:514 /* NameY */
2     115M   25G ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:514

Chain FORWARD (policy ACCEPT 239M packets, 63G bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 29M packets, 11G bytes)
num   pkts bytes target     prot opt in     out     source               destination

In my Prerouting Chain I do not see any packets for that DNAT, herre is that output view:

[root@XXXXX ~]# iptables -t nat -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 107K packets, 33M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       udp  --  eth0   *       74.93.xxx.xxx        0.0.0.0/0           udp dpt:514 /* NameY */ to:209.173.xxx.xxx:514
2     3468  676K DNAT       udp  --  eth0   *       205.201.xxx.xxx      0.0.0.0/0           udp dpt:514 /* NameB */ to:209.173.xxx.xxx:514
3    80425   21M DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:516 to:209.173.xxx.xxx:514

Chain POSTROUTING (policy ACCEPT 162 packets, 9467 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     188K   28M MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 107K packets, 6473K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Here is some information on the server that I am using Server is a Redhat Ent 5 on Dell Poweredge 2950 with 32GB ram Linux 2.6.18-348.el5 #1 SMP Wed Nov 28 21:22:00 EST 2012 x86_64 x86_64 x86_64 GNU/Linux

Here is my sysctl [root@XXXX ~]# cat /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

Is there somthing that I am doing wrong, why can't I forward 74.93.xxx.xxx to the new IP? Thanks for the assistance, all comments are welcome.

golgiapparatus

There are many packets in table filter, but few packets in table nat. Is it possible the host received 169M packets before adding DNAT rule ? — Brightshine, Jan 29 '14 at 02:18

score 0 · Answer 1 · answered Jan 28 '14 at 15:19

Here is the output of my ifconfig. I have changed some of the information for security reasons

[root@myname ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:24:E8:62:AE:2F
          inet addr:208.67.xxx.xxx Bcast:208.67.xxx.yyy  Mask:255.255.255.224
          inet6 addr: fe80::124:e6ff:fe51:ae8f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:764714795 errors:0 dropped:23 overruns:0 frame:0
          TX packets:436520147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:218689483470 (203.6 GiB)  TX bytes:125953479839 (117.3 GiB)
          Interrupt:169 Memory:f8000000-f8012800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5290847 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5290847 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3124832137 (2.9 GiB)  TX bytes:3124832137 (2.9 GiB)

iptables redirect udp syslog to another IP address Not forwarding

1 Answers1