Make ip tables rules persistent in app snap

ahozdemir · March 1, 2022, 9:37am

Hi;

We we have app but device has 2 interface ppp0 ( that makes public apn network) second private netwotk ( snp1s0 that makes private to connect camera ) we’re trying to make NAT from public to camera without ufw snap just using iptables when we could make ip tables rules on it, it did not work because of forwarding setting like net.ipv4.ip_forward=1, sudo vi /etc/sysctl.conf All other configuration is ok

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 80 -j DNAT --to {INTERNAL_IP}:80 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -p tcp -d 192.168.1.3 --dport 80 -j ACCEPT

what must we do to get make proper NAT solution between interface( networks )

regards

bugraaydogar · March 2, 2022, 7:08am

Hi @ahozdemir,

It is very hard to fetch what is the actual question from your post. If you would like to configure ip forwarding, your application can modify the /proc/sys/net/ipv4/ip_forward if the network-control interface is already connected. Please see https://github.com/snapcore/snapd/blob/master/interfaces/builtin/network_control.go#L91

However, this configuration is not persistent and will be lost after every reboot. You can handle this;

your application can always check the mentioned path and enable ip forwarding after every reboot.
you can use system-files (https://snapcraft.io/docs/system-files-interface) and modify /etc/sysctl.conf which will always enable the ip forwarding. Please note that, system-files interface is considered as super-privileged interface and requires Store Review as well as private IoT App Store.

If you would like to use iptables within your application snap, you would need to add iptables package to your snap by leveraging the stage-packages section. Then probably, you would need to adjust the paths that iptables tries to reach. Finally, do not forget to add required interface plug to your snapcraft.yaml file.

Regards, Bugra

ogra · March 2, 2022, 8:38am

i think there is also a way to somehow talk to ufw via dbus, so you could configure it after first boot through that and the settings should persist … alternatively what bugra said is correct … your app would have to set it regulary or put something into /etc/sysctl.d/ …

here is an example where i ship iptables in a captive-portal snap:

github.com

ogra1/opennds-snap/blob/main/snap/snapcraft.yaml

name: opennds
base: core20
adopt-info: opennds
summary: a high performance, small footprint Captive Portal
description: |
  openNDS (NDS) is a high performance, small footprint Captive Portal,
  offering by default a simple splash page restricted Internet
  connection, yet incorporates an API that allows the creation of
  sophisticated authentication applications.

  After installing the snap you can adjust the configuration file in
  /var/snap/opennds/common/opennds/opennds.conf following
  the documentation at https://openndsdocs.readthedocs.io/en/stable/

  Then you need to allow the snap access to the firewall, network configuration,
  mount information and some system and hardware resources with the commands

      sudo snap connect opennds:firewall-control
      sudo snap connect opennds:hardware-observe
      sudo snap connect opennds:mount-observe

This file has been truncated. show original

mehmet.turpcu · March 2, 2022, 8:57am

Hi @bugraaydogar

In order to make the problem clear, i want to give some details as in the following.

We have a Single Board PC, an NVR device and some IP Cameras, our aim is to watch IP cameras from our server. NVR device that is connected to our Single Board PC over ethernet connection, it is plugged directly to PC , there is no switch, router etc between. As you know there is a web application working on NVR on 80 port to watch ip cameras. We thought we could watch the cameras from our server by using a web browser by accessing DVR’s port 80. There is a apn connection between our single board PC and server, therefore in order to access NVR 80 port from our server bypassing apn connection we need to make a port forwarding between ppp0 (apn network) and eth0 (nvr connection). We accomplished to watch IP cameras from our server on a web browser by applying the following commands on Ubuntu Classic Desktop, but we are not sure what is the best way to implement the configuration on Ubuntu Core. Is it better to use ufw as in the following, or is it easier to make it by changing the configuration only using ip tables. If we use ufw what is the key points that we need to focus?

NVR Ip: 192.168.1.3:80 Our Single Board PC IP on APN:192.168.11.6

root@pudo-EPIC-BT07:/etc/ufw# ip link set enx020c29a39b6d down
/etc/default/ufw to accept forwarding requests default_forward_policy = “accept”
edit /etc/ufw/sysctl.conf to allow forwarding net.ipv4.ip_forward=1
vi /etc/ufw/before.rules *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -F

Port Forwardings 80 Management, 3000 data, 1935, 554 RTSP

-A PREROUTING -i ppp0 -d 192.168.11.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:80
-A PREROUTING -i ppp0 -d 192.168.11.6 -p tcp --dport 3000 -j DNAT --to-destination 192.168.1.3:3000 -A PREROUTING -i ppp0 -d 192.168.11.6 -p tcp --dport 1935 -j DNAT --to-destination 192.168.1.3:1935
-A PREROUTING -i ppp0 -d 192.168.11.6 -p tcp --dport 554 -j DNAT --to-destination 192.168.1.3:554
-A PREROUTING -i ppp0 -d 192.168.11.6 -p udp --dport 3001 -j DNAT --to-destination 192.168.1.3:3001

Forward traffic through eth0 - Change to match you out-interface

-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE

don’t delete the ‘COMMIT’ line or these nat table rules won’t be processed

COMMIT

ufw reload
ufw allow http
ufw allow ssh
ufw reload