** This rule tells forward chain in the filter table to accept TCP packets on port 80 with destinadion IP address equal to ''192.168.11.241''. This rule is not strictly neccessary, because by default filter tables accepts all packets. But it is usefull for logging and packet statistic (see [[XUELK-WP001:_Configuring_SBC_Lynx_as_industrial_router#Enabling_logging | Enabling_logging]])
* <code>iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.11.241 -o eth1 -j SNAT --to-source 192.168.11.209</code>
** This rules rule translate the source IP address of all the TCP packets on port 80 in output on ''eth1'' interface with destination IP address equal to ''192.168.11.241'' Here is a dump of the ''FILTER'' and ''NAT'' tables with the port forwarding rules :<pre>root@sbc-lynx:~# iptables -t filter -L -nChain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destinationACCEPT tcp -- 0.0.0.0/0 192.168.11.241 tcp dpt:80ACCEPT tcp -- 0.0.0.0/0 192.168.11.239 tcp dpt:80 Chain OUTPUT (policy ACCEPT)target prot opt source destination</pre><pre>root@sbc-lynx:~# iptables -t nat -L -nChain PREROUTING (policy ACCEPT)target prot opt source destinationDNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.11.241:80DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.168.11.239:80 Chain INPUT (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination Chain POSTROUTING (policy ACCEPT)target prot opt source destinationSNAT tcp -- 0.0.0.0/0 192.168.11.241 tcp dpt:80 to:192.168.11.209SNAT tcp -- 0.0.0.0/0 192.168.11.239 tcp dpt:80 to:192.168.11.209</pre>
Now on the PC side (192.168.0.28) it is possible to get access to either managed switch and access point web servers by using an web browser.
===Enabling logging===
TBDTo enable Iptables logging capability the kernel drivers must be added to default software provided along with XUELK. The logging functionality can be usefull for troubleshooting the iptables custom configuration. But at the same time if it is not well configured it can be too much verbose and useless, expecially if there is lot of traffic on the LAN. Enabling iptables port forwarding log is a matter of adding rules on the chains that are interested on the port forwarding path. Here is a basic implementation of the port forwarding log:<pre>iptables -t nat -I PREROUTING -j LOG --log-prefix "NAT-prerouting: " --log-level 7iptables -t nat -I POSTROUTING -j LOG --log-prefix "NAT-postrouting: " --log-level 7iptables -t filter -I FORWARD -j LOG --log-prefix "FORWARD-Filter: " --log-level 7</pre> The LOG output is appended on ''/var/log/messages'' file. Please note that the size of this log file in XUELK is limited to ''265kB''. When the limit size is reached the log file is backupped on ''/var/log/messages.0'' and a new empty log file is started. There are various logging options. The two used in this example are the most common:* ''--log-prefix'' : it adds a custom string on the beginning of every log entry. This is usefull to immediately recognize the rule that is logged.* ''--log-level'' : choose the log level from the standard linux log level. Selecting low log level can prints out all the iptables log also on debug console. Other common filtering options can be used to reduce iptables log output size: see [https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#ss7.3 Filtering Specifications] Here is a section of the logging output showing port forwarding in case of accessing the access point web server from the PC. Be aware that the nat table is traversed only by the first packet of each connection.<pre>Mar 6 03:04:56 sbc-lynx user.debug kernel: NAT-prerouting: IN=eth0 OUT= MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.0.209 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=28609 DF PROTO=TCP SPT=57227 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=28609 DF PROTO=TCP SPT=57227 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: NAT-postrouting: IN= OUT=eth1 SRC=192.168.0.28 DST=192.168.11.241 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=28609 DF PROTO=TCP SPT=57227 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth1 OUT=eth0 MAC=00:d0:10:03:26:0a:00:1f:1f:b0:52:30:08:00 SRC=192.168.11.241 DST=192.168.0.28 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=57227 WINDOW=5840 RES=0x00 ACK SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=28610 DF PROTO=TCP SPT=57227 DPT=80 WINDOW=16425 RES=0x00 ACK URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=520 TOS=0x00 PREC=0x00 TTL=127 ID=28611 DF PROTO=TCP SPT=57227 DPT=80 WINDOW=16425 RES=0x00 ACK PSH URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth1 OUT=eth0 MAC=00:d0:10:03:26:0a:00:1f:1f:b0:52:30:08:00 SRC=192.168.11.241 DST=192.168.0.28 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=63706 DF PROTO=TCP SPT=80 DPT=57227 WINDOW=3456 RES=0x00 ACK URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth1 OUT=eth0 MAC=00:d0:10:03:26:0a:00:1f:1f:b0:52:30:08:00 SRC=192.168.11.241 DST=192.168.0.28 LEN=89 TOS=0x00 PREC=0x00 TTL=63 ID=63707 DF PROTO=TCP SPT=80 DPT=57227 WINDOW=3456 RES=0x00 ACK PSH URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth1 OUT=eth0 MAC=00:d0:10:03:26:0a:00:1f:1f:b0:52:30:08:00 SRC=192.168.11.241 DST=192.168.0.28 LEN=839 TOS=0x00 PREC=0x00 TTL=63 ID=63708 DF PROTO=TCP SPT=80 DPT=57227 WINDOW=3456 RES=0x00 ACK PSH FIN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=28612 DF PROTO=TCP SPT=57227 DPT=80 WINDOW=16213 RES=0x00 ACK URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=28613 DF PROTO=TCP SPT=57227 DPT=80 WINDOW=16213 RES=0x00 ACK FIN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth1 OUT=eth0 MAC=00:d0:10:03:26:0a:00:1f:1f:b0:52:30:08:00 SRC=192.168.11.241 DST=192.168.0.28 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=57227 WINDOW=3456 RES=0x00 ACK URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: NAT-prerouting: IN=eth0 OUT= MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.0.209 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=28616 DF PROTO=TCP SPT=57230 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=28616 DF PROTO=TCP SPT=57230 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: NAT-postrouting: IN= OUT=eth1 SRC=192.168.0.28 DST=192.168.11.241 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=28616 DF PROTO=TCP SPT=57230 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: NAT-prerouting: IN=eth0 OUT= MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.0.209 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=28617 DF PROTO=TCP SPT=57231 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=28617 DF PROTO=TCP SPT=57231 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: NAT-postrouting: IN= OUT=eth1 SRC=192.168.0.28 DST=192.168.11.241 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=28617 DF PROTO=TCP SPT=57231 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth1 OUT=eth0 MAC=00:d0:10:03:26:0a:00:1f:1f:b0:52:30:08:00 SRC=192.168.11.241 DST=192.168.0.28 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=57230 WINDOW=5840 RES=0x00 ACK SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth1 OUT=eth0 MAC=00:d0:10:03:26:0a:00:1f:1f:b0:52:30:08:00 SRC=192.168.11.241 DST=192.168.0.28 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=57231 WINDOW=5840 RES=0x00 ACK SYN URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=28618 DF PROTO=TCP SPT=57230 DPT=80 WINDOW=16425 RES=0x00 ACK URGP=0Mar 6 03:04:56 sbc-lynx user.debug kernel: FORWARD-Filter: IN=eth0 OUT=eth1 MAC=00:50:c2:b9:cf:82:90:b1:1c:69:58:80:08:00 SRC=192.168.0.28 DST=192.168.11.241 LEN=484 TOS=0x00 PREC=0x00 TTL=127 ID=28619 DF PROTO=TCP SPT=57230 DPT=80 WINDOW=16425 RES=0x00 ACK PSH URGP=0</pre>
