Jump to: navigation, search

XUELK-TN-001: Configuring SBC Lynx as industrial router

318 bytes added, 09:05, 10 August 2016
no edit summary
The following image shows a simplified block diagram of the network topology that has been used for testing this configuration.
There are two [[File:SBCLynx-router-IP-forwarding.png|thumb|center|600px|Simplified block diagram of the network topology]]  Two LANshave been used:
* main LAN (
* secondary LAN (
The following devices are connected to these LANsnetworks:
*a PC connected to the main LAN (IP address =
*main LAN switch
To enable routing functionality, the well known [ netfilter/iptables packet filtering framework ] has been added and configured to default the software provided along with XUELKby default. The following steps describe how to set up and configure netfilter to implement the desired routing policy.
Make First make sure to correctly setup static IP for the two ethernet interfaces on SBC Lynx:
root@sbc-lynx:~# ifconfig eth0
Before proceding proceeding on port forwarding rules setting, the forwarding capability must be enabled on both ''<code>eth0'' </code> and ''<code>eth1'' </code> interfaces:
root@sbc-lynx:~# sysctl net.ipv4.conf.eth0.forwarding=1
The following ''<code>iptables'' </code> commands are used to enable <-> port forwarding:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination
** All TCP packets on port 80 in input from ''eth0'' interface are modified with destination ip adddress '''' port 80
* <code>iptables -A FORWARD -p tcp -d --dport 80 -j ACCEPT</code>
** This rule tells forward chain in the filter table to accept TCP packets on port 80 with destinadion destination IP address equal to ''''. This rule is not strictly neccessarynecessary, because by default filter tables accepts all packets. But it is usefull useful for logging and packet statistic (see [[XUELK-WP001:_Configuring_SBC_Lynx_as_industrial_router#Enabling_logging | Enabling_logging]])
* <code>iptables -t nat -A POSTROUTING -p tcp --dport 80 -d -o eth1 -j SNAT --to-source</code>
** This rule translate the source IP address of all the TCP packets on port 80 in output on ''eth1'' interface with destination IP address equal to ''''
Here is a dump of the ''<code>FILTER'' </code> and ''<code>NAT'' </code> tables with the port forwarding rules :
root@sbc-lynx:~# iptables -t filter -L -n
===Enabling logging===
To enable Iptables <code>iptables</code> logging capability the some kernel drivers must be added to default software configuration provided along with XUELK.
The logging functionality can be usefull useful for troubleshooting the iptables custom configuration. But at the same time if it is not well configured it can be too much verbose and useless, expecially especially if there is lot of traffic on the LAN.
Enabling <code>iptables </code> port forwarding log is a matter of adding rules on the chains that are interested on the port forwarding path. Here is a basic implementation of the port forwarding log:
iptables -t nat -I PREROUTING -j LOG --log-prefix "NAT-prerouting: " --log-level 7
The LOG output is appended on ''<code>/var/log/messages'' </code> file. Please note that the size of this log file in XUELK is limited to ''265kB''. When the limit size is reached the log file is backupped backed up on ''/var/log/messages.0'' and a new empty log file is started.
There are various logging options. The two used in this example are the most common:
* ''<code>--log-prefix'' </code> : it adds a custom string on the beginning of every log entry. This is usefull useful to immediately recognize the rule that is logged.* ''<code>--log-level'' </code> : choose the log level from the standard linux log level. Selecting low log level can prints out all the iptables log also on debug console.
Other common filtering options can be used to reduce <code>iptables </code> log output size: see [ Filtering Specifications]
Here is a section of the logging output showing port forwarding in case of accessing the access point web server from the PC. Be aware that the nat table is traversed only by the first packet of each connection.

Navigation menu