Make ip tables rules persistent in app snap


We we have app but device has 2 interface ppp0 ( that makes public apn network) second private netwotk ( snp1s0 that makes private to connect camera ) we’re trying to make NAT from public to camera without ufw snap just using iptables when we could make ip tables rules on it, it did not work because of forwarding setting like net.ipv4.ip_forward=1, sudo vi /etc/sysctl.conf All other configuration is ok

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 80 -j DNAT --to {INTERNAL_IP}:80 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -p tcp -d --dport 80 -j ACCEPT

what must we do to get make proper NAT solution between interface( networks )


Hi @ahozdemir,

It is very hard to fetch what is the actual question from your post. If you would like to configure ip forwarding, your application can modify the /proc/sys/net/ipv4/ip_forward if the network-control interface is already connected. Please see

However, this configuration is not persistent and will be lost after every reboot. You can handle this;

  • your application can always check the mentioned path and enable ip forwarding after every reboot.
  • you can use system-files ( and modify /etc/sysctl.conf which will always enable the ip forwarding. Please note that, system-files interface is considered as super-privileged interface and requires Store Review as well as private IoT App Store.

If you would like to use iptables within your application snap, you would need to add iptables package to your snap by leveraging the stage-packages section. Then probably, you would need to adjust the paths that iptables tries to reach. Finally, do not forget to add required interface plug to your snapcraft.yaml file.

Regards, Bugra

i think there is also a way to somehow talk to ufw via dbus, so you could configure it after first boot through that and the settings should persist … alternatively what bugra said is correct … your app would have to set it regulary or put something into /etc/sysctl.d/ …

here is an example where i ship iptables in a captive-portal snap:

Hi @bugraaydogar

In order to make the problem clear, i want to give some details as in the following.

We have a Single Board PC, an NVR device and some IP Cameras, our aim is to watch IP cameras from our server. NVR device that is connected to our Single Board PC over ethernet connection, it is plugged directly to PC , there is no switch, router etc between. As you know there is a web application working on NVR on 80 port to watch ip cameras. We thought we could watch the cameras from our server by using a web browser by accessing DVR’s port 80. There is a apn connection between our single board PC and server, therefore in order to access NVR 80 port from our server bypassing apn connection we need to make a port forwarding between ppp0 (apn network) and eth0 (nvr connection). We accomplished to watch IP cameras from our server on a web browser by applying the following commands on Ubuntu Classic Desktop, but we are not sure what is the best way to implement the configuration on Ubuntu Core. Is it better to use ufw as in the following, or is it easier to make it by changing the configuration only using ip tables. If we use ufw what is the key points that we need to focus?

NVR Ip: Our Single Board PC IP on APN:

  1. root@pudo-EPIC-BT07:/etc/ufw# ip link set enx020c29a39b6d down

  2. /etc/default/ufw to accept forwarding requests default_forward_policy = “accept”

  3. edit /etc/ufw/sysctl.conf to allow forwarding net.ipv4.ip_forward=1

  4. vi /etc/ufw/before.rules *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -F

Port Forwardings 80 Management, 3000 data, 1935, 554 RTSP

  • -A PREROUTING -i ppp0 -d -p tcp --dport 80 -j DNAT --to-destination
  • -A PREROUTING -i ppp0 -d -p tcp --dport 3000 -j DNAT --to-destination -A PREROUTING -i ppp0 -d -p tcp --dport 1935 -j DNAT --to-destination
  • -A PREROUTING -i ppp0 -d -p tcp --dport 554 -j DNAT --to-destination
  • -A PREROUTING -i ppp0 -d -p udp --dport 3001 -j DNAT --to-destination

Forward traffic through eth0 - Change to match you out-interface


don’t delete the ‘COMMIT’ line or these nat table rules won’t be processed


  • ufw reload
  • ufw allow http
  • ufw allow ssh
  • ufw reload