Need to translate source IP prior to routing for SNMP issue

Need to translate source IP prior to routing for SNMP issue

[Matty Sarro]

Hey everyone! I am running into a rather interesting issue and was
hoping someone may be able to help. We are running a custom SNMP
daemon on a server (its part of a vendor application). The servers are
all multihomed, with one NIC on a service/public facing subnet, and
the other NIC on a management subnet. We need all SNMP traffic to use
the management subnet.

We have set up 2 routing tables in IPROUTE2 to ensure all traffic goes
out the interface that it comes in. It's tested, and everything is
working except for SNMP. What happens with snmp is the snmp manager
sends a request (for example, GET). The request is received by the
SNMP daemon on the target server. The target server then generates a
reply, but when it does, it uses the IP address of the service
interface, not the management interface. We have reconfigured the
application, but its still insisting on using that IP. The reply
packet is then routed out the service interface because of the source
IP. I have numerous packet traces verifying that this is the behavior.

So what I need is the source IP address to be re-written from the
service IP, to the management ip, so it can be routed out the correct
interface. This ONLY needs to be done for snmp traffic, and it needs
to be done prior to any routing. Is this possible? Any help would
really be appreciated, this appears to be an application issue but we
need to find a workaround until the vendor fixes it.

Thank you everyone!

Re: Need to translate source IP prior to routing for SNMP issue

[fuzzy_4711]

Not sure if that is what you want, but I'll give it a shot, try and pray :-)

I guess you can't change IP address before routing. NAT is allowed in
POSTROUTING first time for a local process, I think. Maybe you can do it
that way:

At the target machine, after the local process (application) has send a
packet, mark the packages before they are routed:

iptables -t mangle -A OUTPUT -o eth0 -p tcp -m tcp --dport
YOUR_SMNP_PORT -j MARK --set-mark snmp

You will be able to handle only these marked packages in a seperate
routing table (YOURTABLE).

edit /etc/iproute2/rt_tables
and add a new table with a lower number there.

Ater that, add a default route to the routing table you like to use:
ip route flush table YOURTABLE
# default route for this table only
ip route add table YOURTABLE default dev MANAGEMENTIF

# all those snmp packages use the new table.
ip rule add fwmark snmp table YOURTABLE
ip route flush cache


Now, all packets which are marked with "snmp" will be routed following
the instructions found in YOURTABLE and leaving via MANAGEMENTIF. If you
need it, you could do natting after that (-t nat -A POSTROUTING).


If you can't get through, you have to
# Disable reverse path filtering
net.ipv4.conf.all.rp_filter = 0
This is a sec feature to avoid ip spoofing.


Take a look here:
http://www.sysresccd.org/Sysresccd-Networking-EN-Destination-port-routing






> The reply
> packet is then routed out the service interface because of the source
> IP. I have numerous packet traces verifying that this is the behavior.
>