IP forwarding - norlab-ulaval/Norlab_wiki GitHub Wiki

To access sensor interfaces remotely without using a screen connected to the main computer, we need to enable and configure IP forwarding.

Enable IP forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

To do this permanently, in /etc/sysctl.conf set

net.ipv4.ip_forward = 1

and apply changes with sudo sysctl -p.

Now consider that our computer is connected to the router on interface enp1s0f1 and has the IP address 192.168.0.3, while the sensor is on the interface enp6s0 with the IP address 192.168.1.200. The computer's IP address connected to the sensor is not important since we will forward all traffic to that interface.

We will be forwarding all incoming traffic on port 30000 on enp1s0f1 to port 80 on enp6s0, which is the web server. ❗️Note that if the web interface uses https, you must replace 80 by 443. ❗️

We will need to setup iptables rules:

sudo iptables -t nat -A PREROUTING -i enp1s0f1 -p tcp --dport 30000 -j DNAT --to-destination 192.168.1.200:80
sudo iptables -A FORWARD -p tcp -d 192.168.1.200 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE

Where the last command ensures that the sensor sends the responses back through warthog-high-level to the laptop.

Now, from the laptop, we can verify that we have a working connection with

curl -v http://192.168.0.3:30000

The iptables settings can be stored in a file and restored from the same file with

sudo iptables-save > iptables.rules
sudo iptables-restore < iptables.rules

Here's a full config file that allows accessing of RS Ruby Plus 128 (port 30000) and the Navtech radar (port 30001):

robot@warthog-high-level: /tmp $ cat iptables.rules
# Generated by iptables-save v1.8.7 on Tue Sep  3 10:45:28 2024
*filter
:INPUT ACCEPT [20178:25139024]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [363:34270]
-A FORWARD -d 192.168.1.200/32 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.4.1/32 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Sep  3 10:45:28 2024
# Generated by iptables-save v1.8.7 on Tue Sep  3 10:45:28 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2:152]
:POSTROUTING ACCEPT [2:152]
-A PREROUTING -i enp1s0f1 -p tcp -m tcp --dport 30000 -j DNAT --to-destination 192.168.1.200:80
-A PREROUTING -i enp1s0f1 -p tcp -m tcp --dport 30001 -j DNAT --to-destination 192.168.4.1:443
-A POSTROUTING -o enp6s0 -j MASQUERADE
-A POSTROUTING -o enp1s0f0 -j MASQUERADE
COMMIT
# Completed on Tue Sep  3 10:45:28 2024

This file is located in norlab_robot/scripts/config/iptables.rules It is automatically loaded on startup with a script located in /etc/network/if-pre-up.d/iptables (needs to be executable), which contains:

#!/bin/sh
iptables-restore < /home/robot/ros2_ws/src/norlab_robot/scripts/config/iptables.rules