====== Using a Shim Tunnel to send Netflow to a remote Trisul probe ======


A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header which will preserve the router/switch IP address. This is an alternative method when you cannot deploy  the other two methods  [[hardware:gatewaynetflow|NAT]] or [[hardware:gretunnel|GRE Tunnel]].



===== The setup  =====

Substitute these for your environment

  * Trisul Probe real IP : 192.168.2.99
  * Gateway Node real IP : 192.169.2.81 (both should be able to ping each other)
  * Port used : UDP 5111
  * Source IP to use on the gateway end of shim tunnel : 10.251.52.4



<note warning>
**Pre-check**
  * ensure IP Forwarding is disabled ''echo 0 > /proc/sys/net/ipv4/ip_forward''  
  * local iptables firewall rules allow the UDP port ''iptables -A INPUT -p udp -m udp --dport 5111 -j ACCEPT''
</note> 
===== Download the Shim software =====

The custom shim tunnel is provided by the netflow-shim-tunnel software running on the gateway node.

Visit https://github.com/trisulnsm/netflow-shim-tunnel/tree/master/binaries and download the binary for your platform.

<code>
wget https://github.com/trisulnsm/netflow-shim-tunnel/raw/master/binaries/nfshim.el7
</code>

===== Run the nfshim server on the gateway node =====

The goal here is to forward all netflow packets received on UDP 5111 to the remote probe 192.168.2.99 on the same 5111 port


==== Example 1 : simple ====


<code>
chmod +x nfshim.el7
./nfshim.el7  -D 0.0.0.0:5111  192.168.2.99:5111
</code>


==== Example 2 : bind to a specific local address for tunnel endpoint ====

<code>
chmod +x nfshim.el7
./nfshim.el7  -D 0.0.0.0:5111  192.168.2.99:5111 10.251.52.4
</code>

Ensure you disable the firewall or allow port 5111 through  ''systemctl stop firewalld'' or ''firewall-cmd --zone=public --add-port=5111/udp''

===== Start Trisul Probe =====


Set the **EnableShimTunnel** option in the netflow config file.

<code>
vi /usr/local/etc/trisul-probe/domain0/probe0/config0/PI-7CA*
</code>

Set or add the following line in the Policy section

<code>
   <EnableShimTunnel>true</EnableShimTunnel>
</code>

Restart  Trisul. You should now be able to see the Netflow analysis on the Trisul node with the actual router/switch IP addresses. 


===== Extra reference : Use Source NAT =====

In the very unlikely scenario the above steps dont work and the desired source IP is not seen on the outgoing packets, use SNAT (Source NAT).This example NATs the source IP for udp packets to 5111 (custom netflow)  to be the Shim end point.

<code>
iptables -t nat -A   POSTROUTING -p udp --dport 5111 \
    -o enp7s0  -j SNAT --to 10.251.52.4:5111
</code>

==== To view rules ====
 
<code>
iptables -t nat -L -v --line-numbers
</code>

==== To delete a rule with id 3 ====

<code>
iptables -t nat -D POSTROUTING  3
</code>