How to mirror udp traffic between two hosts to a third remote k8s host in a readable manner?

Question

Use case: Onpremise log server traffic need to be replicated to a cloud based log server.

What works : Device A can send logs to log Server B over UDP 514. Server B and cloud based log server C are reachable to each other but on different network. A GRE network tunnel is created between B and C to bring them in same network. So, traffic mirror from B to C works as below.

B # iptables -t mangle -I PREROUTING -i eth0 -p UDP --dport 514 -j TEE --gateway C.greIP

Challenge : Traffic received by C was actually destined for B hence getting dropped in C. There is a listener on UDP port 514 on C server binded to 0.0.0.0 however the log server of C does not see the logs.

It seems the UDP packets are getting dropped at C. What could be possible solution to handle non local ip traffic?

I have tried DNAT C # iptables -t nat -I PREROUTING -p UDP -d B --dport 514 -j DNAT --to-destination C:514 but it won't work. tcpdump on C shows packets are being received for non local IP and C # iptables -nvL -t nat shows that DNAT rule is getting matched.

Answer 1

Well, the same method which duplicated the packets from B to C worked on C.

Basically B duplicates the packets B # iptables -t mangle -I PREROUTING -i eth0 -p UDP --dport 514 -j TEE --gateway C.greIP and then once the packets are arrived in C, C can duplicate the packets to C # iptables -t mangle -I PREROUTING -i enlight -p udp -d B --dport 514 -j TEE --gateway C

This allowed the local process on C machine to handle duplicate udp syslog packets.