hardware:shimtunnel
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
hardware:shimtunnel [2019/01/10 15:05] – [Run the nfshim server on the gateway node] veera | hardware:shimtunnel [2019/01/11 16:46] – [Optional : Use Source NAT] veera | ||
---|---|---|---|
Line 2: | Line 2: | ||
- | A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header. This is an alternative method when you cannot deploy | + | A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header |
- | |||
- | The goal is for the Routers to send Netflow to the Gateway node, when will then forward it to the remote Trisul probe. | ||
Line 15: | Line 13: | ||
* Gateway Node real IP : 192.169.2.81 (both should be able to ping each other) | * Gateway Node real IP : 192.169.2.81 (both should be able to ping each other) | ||
* Port used : UDP 5111 | * Port used : UDP 5111 | ||
+ | * Source IP to use on the gateway end of shim tunnel : 10.251.52.4 | ||
+ | |||
+ | <note warning> | ||
+ | **Pre-check** | ||
+ | * ensure IP Forwarding is disabled '' | ||
+ | * local iptables firewall rules allow the UDP port '' | ||
+ | </ | ||
===== Download the Shim software ===== | ===== Download the Shim software ===== | ||
Line 22: | Line 27: | ||
Visit https:// | Visit https:// | ||
- | |||
- | Example | ||
< | < | ||
Line 34: | Line 37: | ||
- | Example | + | ==== Example |
< | < | ||
chmod +x nfshim.el7 | chmod +x nfshim.el7 | ||
./ | ./ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Example 2 : bind to a specific local address for tunnel endpoint ==== | ||
+ | |||
+ | < | ||
+ | chmod +x nfshim.el7 | ||
+ | ./ | ||
</ | </ | ||
Line 58: | Line 70: | ||
</ | </ | ||
- | Restart | + | Restart |
- | Now you should be able to see the traffic. | + | |
+ | ===== Optional : Use Source NAT ===== | ||
+ | |||
+ | In the very unlikely scenario the above steps dont work and the desired source IP is not seen on the outgoing packets, use SNAT (Source NAT) | ||
+ | |||
+ | This example NATs the source IP for udp packets | ||
+ | |||
+ | < | ||
+ | iptables -t nat -A | ||
+ | -o enp7s0 | ||
+ | </ | ||
+ | |||
+ | ==== To view rules ==== | ||
+ | |||
+ | < | ||
+ | iptables -t nat -L -v --line-numbers | ||
+ | </ | ||
+ | |||
+ | ==== To delete a rule with id 3 ==== | ||
+ | |||
+ | < | ||
+ | iptables -t nat -D POSTROUTING | ||
+ | </ | ||
hardware/shimtunnel.txt · Last modified: 2019/01/11 18:16 by veera