hardware:shimtunnel
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
hardware:shimtunnel [2019/01/10 14:11] – [Download the Shim software] veera | hardware:shimtunnel [2019/01/11 18:16] (current) – veera | ||
---|---|---|---|
Line 2: | Line 2: | ||
- | A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header. This is an alternative method when you cannot deploy | + | A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header |
- | |||
- | The goal is for the Routers to send Netflow to the Gateway node, when will then forward it to the remote Trisul probe. | ||
Line 15: | Line 13: | ||
* Gateway Node real IP : 192.169.2.81 (both should be able to ping each other) | * Gateway Node real IP : 192.169.2.81 (both should be able to ping each other) | ||
* Port used : UDP 5111 | * Port used : UDP 5111 | ||
+ | * Source IP to use on the gateway end of shim tunnel : 10.251.52.4 | ||
+ | |||
+ | <note warning> | ||
+ | **Pre-check** | ||
+ | * ensure IP Forwarding is disabled '' | ||
+ | * local iptables firewall rules allow the UDP port '' | ||
+ | </ | ||
===== Download the Shim software ===== | ===== Download the Shim software ===== | ||
- | The custom shim tunnel | + | The custom shim tunnel |
Visit https:// | Visit https:// | ||
- | |||
- | Example | ||
< | < | ||
Line 34: | Line 37: | ||
- | Example | + | ==== Example |
< | < | ||
- | nfshim -D 0.0.0.0: | + | chmod +x nfshim.el7 |
+ | ./ | ||
</ | </ | ||
- | Ensure you disable the firewall or allow port 5111 through | ||
- | |||
- | < | ||
- | systemctl stop firewalld | ||
- | or | + | ==== Example 2 : bind to a specific local address for tunnel endpoint ==== |
- | firewall-cmd --zone=public --add-port=5111/udp | + | < |
+ | chmod +x nfshim.el7 | ||
+ | ./ | ||
</ | </ | ||
+ | Ensure you disable the firewall or allow port 5111 through | ||
===== Start Trisul Probe ===== | ===== Start Trisul Probe ===== | ||
Line 66: | Line 70: | ||
</ | </ | ||
- | Restart | + | Restart |
- | Now you should be able to see the traffic. | + | |
+ | ===== Extra reference : Use Source NAT ===== | ||
+ | |||
+ | In the very unlikely scenario the above steps dont work and the desired source IP is not seen on the outgoing packets, use SNAT (Source NAT).This example NATs the source IP for udp packets | ||
+ | |||
+ | < | ||
+ | iptables -t nat -A | ||
+ | -o enp7s0 | ||
+ | </ | ||
+ | |||
+ | ==== To view rules ==== | ||
+ | |||
+ | < | ||
+ | iptables -t nat -L -v --line-numbers | ||
+ | </ | ||
+ | |||
+ | ==== To delete a rule with id 3 ==== | ||
+ | |||
+ | < | ||
+ | iptables -t nat -D POSTROUTING | ||
+ | </ | ||
hardware/shimtunnel.1547109703.txt.gz · Last modified: 2019/01/10 14:11 by veera