no edit summary
The following image shows a simplified block diagram of the network topology that has been used for testing this configuration.
* main LAN (192.168.0.0/24)
* secondary LAN (192.168.11.0/24).
The following devices are connected to these
*a PC connected to the main LAN (IP address = 192.168.0.28)
*main LAN switch
To enable routing functionality, the well known netfilter/iptables packet filtering framework has been added
and configured to default software provided along with XUELK .
root@sbc-lynx:~# ifconfig eth0 192.168.0.209
proceding on port forwarding rules setting, the forwarding capability must be enabled on both ''eth0 '' and ''eth1 '' interfaces:
root@sbc-lynx:~# sysctl net.ipv4.conf.eth0.forwarding=1
''iptables '' commands are used to enable 192.168.0.209:80 <-> 192.168.11.241:80 port forwarding:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.11.241:80
** All TCP packets on port 80 in input from ''eth0'' interface are modified with destination ip adddress ''192.168.11.241'' port 80
* <code>iptables -A FORWARD -p tcp -d 192.168.11.241 --dport 80 -j ACCEPT</code>
** This rule tells forward chain in the filter table to accept TCP packets on port 80 with
destinadion IP address equal to ''192.168.11.241''. This rule is not strictly neccessary, because by default filter tables accepts all packets. But it is usefull for logging and packet statistic (see [[ XUELK-WP001:_Configuring_SBC_Lynx_as_industrial_router#Enabling_logging | Enabling_logging]])
* <code>iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.11.241 -o eth1 -j SNAT --to-source 192.168.11.209</code>
** This rule translate the source IP address of all the TCP packets on port 80 in output on ''eth1'' interface with destination IP address equal to ''192.168.11.241''
Here is a dump of the
''FILTER '' and ''NAT '' tables with the port forwarding rules :
root@sbc-lynx:~# iptables -t filter -L -n
Iptables logging capability the kernel drivers must be added to default software provided along with XUELK.
The logging functionality can be
usefull for troubleshooting the iptables custom configuration. But at the same time if it is not well configured it can be too much verbose and useless, expecially if there is lot of traffic on the LAN.
Enabling iptables port forwarding log is a matter of adding rules on the chains that are interested on the port forwarding path. Here is a basic implementation of the port forwarding log:
iptables -t nat -I PREROUTING -j LOG --log-prefix "NAT-prerouting: " --log-level 7
The LOG output is appended on
''/var/log/messages '' file. Please note that the size of this log file in XUELK is limited to ''265kB''. When the limit size is reached the log file is backupped on ''/var/log/messages.0'' and a new empty log file is started.
There are various logging options. The two used in this example are the most common:
''--log-prefix '' : it adds a custom string on the beginning of every log entry. This is usefull to immediately recognize the rule that is logged.* ''--log-level '' : choose the log level from the standard linux log level. Selecting low log level can prints out all the iptables log also on debug console.
Other common filtering options can be used to reduce iptables log output size: see [https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#ss7.3 Filtering Specifications]
Here is a section of the logging output showing port forwarding in case of accessing the access point web server from the PC. Be aware that the nat table is traversed only by the first packet of each connection.