Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » hardware » How to redirect Netflow to Trisul across network segments using NAT
Trace: Suricata-EVE-Unixsocket QUIC protocol analysis using the Trisul Scripting API How to redirect Netflow to Trisul across network segments using NAT
hardware:gatewaynetflow

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
hardware:gatewaynetflow [2019/01/03 17:36] – [How to redirect Netflow to Trisul across network segments using NAT] veerahardware:gatewaynetflow [2019/01/07 11:45] (current) – [How to redirect Netflow to Trisul across network segments using NAT] veera
Line 1: Line 1:
 ====== How to redirect Netflow to Trisul across network segments using NAT ====== ====== How to redirect Netflow to Trisul across network segments using NAT ======
  
-In some customers, Trisul is on a separate segment from the production routers. These sites often have a gateway device that be be used to access.  The routers can each the gateway to export NETFLOW but cannot reach the Trisul server. The picture below shows how the setup is.+In some customers, Trisul is often deployed on a separate segment from the production routers or routers in the DMZ. These sites often have a gateway device that be be used to access.  The routers can reach the gateway to export NETFLOW but cannot reach the Trisul server directly. The picture below shows how the setup is.
  
 {{:hardware:netflow-nat.png?600|}} {{:hardware:netflow-nat.png?600|}}
  
-This HOWTO explains how to use  Linux IPTABLES NAT to move between the two.+This HOWTO explains how to use  Linux IPTABLES NAT to solve the issue.
  
 +<note>You may want to setup a GRE Tunnel instead to preserve the router IPs while also using the source IP of the gateway node, read "[[hardware:gretunnel|Setup GRE Tunnel]]"</note>
 ===== IPTABLES Port based NAT ===== ===== IPTABLES Port based NAT =====
  
-On the gateway device you just need to run the following commands, say you want to move port 2055 to a particular IP.+**On the gateway device** you just need to run the following commands, say you want to move port 2055 to a particular IP.
  
-Shutdown ufw or disable firewalld+==== Shutdown ufw or disable firewalld ==== 
 + 
 +since we are working directly with iptables. 
  
 <code  bash> <code  bash>
Line 21: Line 24:
  
 # Make sure ip forwarding is enabled in kernel # Make sure ip forwarding is enabled in kernel
-echo 1 > /proc/sys/net/ipv4/ip_forwarding+echo 1 > /proc/sys/net/ipv4/ip_forward
 </code> </code>
  
  
-Then setup the Port NAT+==== Then setup the Port NAT ==== 
 + 
 +The following commands move port 2055 to the Trisul IP (see the diagram above) .
  
 <code> <code>
 $ iptables -t nat -A PREROUTING -p udp --dport 2055 -j DNAT --to-destination 10.10.10.17:2055 $ iptables -t nat -A PREROUTING -p udp --dport 2055 -j DNAT --to-destination 10.10.10.17:2055
-$ iptables -t nat -A POSTROUTING -j MASQUERADE 
 </code> </code>
  
Line 35: Line 39:
 You should now be seeing Netflow  flowing to the Trisul box. You should now be seeing Netflow  flowing to the Trisul box.
  
 +
 +<note important>NOTE: Do not use the MASQUERADE POSTROUTING rule, because we want to preserve the Source IP address of the original router in the netflow packets. Otherwise Trisul can  assume that the Gateway device is the router.
 +</note>
 +==== Useful commands ====
 +
 +To view NAT rules with counters
 +''
 +iptables -t nat -vL
 +
 +''
 +==== Reference ====
  
  
 +Forwarding and NAT  with IPTABLES : Redhat https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s1-firewall-ipt-fwd.html  
hardware/gatewaynetflow.1546517193.txt.gz · Last modified: 2019/01/03 17:36 by veera