Changes

Jump to: navigation, search

XUELK-TN-001: Configuring SBC Lynx as industrial router

3,800 bytes added, 16:14, 3 November 2020
no edit summary
{{InfoBoxTop}}
{{AppliesToAXELULite}}
{{AppliesToAXEL ULite TN}}
{{AppliesToSBCLynx}}
{{InfoBoxBottom}}
== History ==
{| class="wikitable" border="1"
!Version
!Date
!Notes
|-
|1.0.0
|August 2016
|First public release
|-
|{{oldid|5301|1.1.0}}
|August 2016
|Added section about persistent rules
|-
|1.1.1
|August 2016
|Added sysctl persistent settings
|-
|1.1.2
|May 2017
|Fix sysctl parameter
|-
|}
 
==Introduction==
Nowadays IP networks are become popular in industrial environments. To limit infrastructure costsThanks to the dual Ethernet interface, these networks are often built ased onSBC Lynx allows to implement non-trivial routing network configurations are needed  This . As an example of this flexibility, this article shows how to configure SBC Lynx to implement a Linux-powered router that manages data packet forwarding between two different LANs. This task can be performed in parallel with the other application-specific activities (typically field bus communications, monitoring, control etc.). This solution allows to reduce significantly overall infrastructure costs in many industrial environments where Ethernet networking is popular nowadays.
==Network topology==
*192.168.0.209:80 <-> 192.168.11.241:80
*192.168.0.209:8080 <-> 192.168.11.239:80
 
 
[1] For simplicity, secondary interface has been implemented with an USB/Ethernet adapter (MOSCHIP 7830/7832/7730 usb-NET adapter) connected to USB port. For a real-world production environment, it is recommended the use of both iMX6UL Ethernet MAC controllers. To do that, a plugin board connected to the one piece connector (J45/J52) can be used. For more details please refer to [mailto:sales@dave.eu sales department].
==Implementation==
To enable routing functionality, the well known [https://www.netfilter.org/ netfilter/iptables packet filtering framework] has been added to the software provided along with [[AXEL_ULite_and_SBC_Lynx_Embedded_Linux_Kit_(XUELK )|XUELK]] by default.
The following steps describe how to set up and configure netfilter to implement the desired routing policy.
Before proceeding on port forwarding rules setting, the forwarding capability must be enabled on both <code>eth0</code> and <code>eth1</code> interfaces:
<pre>
root@sbc-lynx:~# sysctl -w net.ipv4.conf.eth0.forwarding=1
net.ipv4.conf.eth0.forwarding = 1
root@sbc-lynx:~# sysctl -w net.ipv4.conf.eth1.forwarding=1
net.ipv4.conf.eth1.forwarding = 1
</pre>
** All TCP packets on port 80 in input from ''eth0'' interface are modified with destination ip adddress ''192.168.11.241'' port 80
* <code>iptables -A FORWARD -p tcp -d 192.168.11.241 --dport 80 -j ACCEPT</code>
** This rule tells forward chain in the filter table to accept TCP packets on port 80 with destination IP address equal to ''192.168.11.241''. This rule is not strictly necessary, because by default filter tables accepts all packets. But it is useful for logging and packet statistic (see [[#Enabling_logging | Enabling_loggingEnabling logging]])
* <code>iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.11.241 -o eth1 -j SNAT --to-source 192.168.11.209</code>
** This rule translate the source IP address of all the TCP packets on port 80 in output on ''eth1'' interface with destination IP address equal to ''192.168.11.241''
</pre>
The LOG output is appended on <code>/var/log/messages</code> file. Please note that the size of this log file in XUELK is limited to ''265kB''. When the limit size is reached the log file is backed up on ''<code>/var/log/messages.0'' </code> and a new empty log file is started.
There are various logging options. The two used in this example are the most common:
Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=28618 DF PROTO=TCP SPT=57230 DPT=80 WINDOW=16425 RES=0x00 ACK URGP=0
Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=484 TOS=0x00 PREC=0x00 TTL=127 ID=28619 DF PROTO=TCP SPT=57230 DPT=80 WINDOW=16425 RES=0x00 ACK PSH URGP=0
</pre>
 
===Make <code>iptables</code> configuration persistent===
<code>iptables</code> init script is used to make rules persistent in order to load them automatically on boot.
 
The init script must be saved in the target's root file system as <code>/etc/init.d/iptables</code>. From SBC Lynx the following commands can be used to create and edit the file:
<pre>
root@sbc-lynx:~# touch /etc/init.d/iptables
root@sbc-lynx:~# chmod +x /etc/init.d/iptables
root@sbc-lynx:~# vi /etc/init.d/iptables
</pre>
 
Here is the content of the script:
<pre>
#! /bin/bash
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: mountkernfs $local_fs
# Required-Stop: mountkernfs $local_fs
# X-Start-Before: networking
# X-Stop-After: networking
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Iptables
# Description: Init script for iptables
### END INIT INFO
 
function do_start {
if [ -e "/etc/iptables.rules" ]; then
echo "Starting iptables service"
iptables-restore < /etc/iptables.rules
else
echo "No rules saved for iptables"
fi
}
 
function do_stop {
echo "Stopping iptables service"
for chain in INPUT FORWARD OUTPUT
do
iptables -P $chain ACCEPT
done
for param in F Z X; do iptables -$param; done
for table in $(cat /proc/net/ip_tables_names)
do
iptables -t $table -F
iptables -t $table -Z
iptables -t $table -X
done
}
 
function do_save {
echo "Saving iptables rules"
iptables-save > /etc/iptables.rules
}
 
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
save)
do_save
;;
restart)
do_stop
do_start
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop|restart|save}"
exit 1
;;
esac
 
exit 0
 
</pre>
 
Install the <code>iptables</code> init script by simply issuing this command:
<pre>
update-rc.d iptables defaults
</pre>
 
To save the current <code>iptables</code> rules and make them persistent type this command:
<pre>
root@sbc-lynx:~# /etc/init.d/iptables save
Saving iptables rules
</pre>
 
At the next boot the saved <code>iptables</code> rules will be automatically loaded.
 
 
----
 
Please note that <code>sysctl</code> settings (e.g. the ones used to enable packet forwarding) are not persistent across reboots. To apply sysctl settings at boot time automatically, just add them to [http://linux.die.net/man/5/sysctl.conf <code>/etc/sysctl.conf</code>] as <code>token = value</code>:
 
<pre>
root@sbc-lynx:~# tail /etc/sysctl.conf
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
 
#kernel.shmmax = 141762560
 
net.ipv4.conf.eth0.forwarding=1
net.ipv4.conf.eth1.forwarding=1
</pre>
 
sysctl.conf settings are applied with init script during network configuration (see <code>/etc/init.d/networking</code>)
 
To check sysctl.conf syntax user can apply those settings also manually with the following command:
 
<pre>
root@sbc-lynx:~# sysctl -p /etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth1.forwarding = 1
</pre>
U0007
Bureaucrats, dave_user, Administrators
8,141
edits
Retrieved from "https://wiki.dave.eu/index.php/Special:MobileDiff/5263...11240"

Navigation menu