Port forwarding from Codesys with AWS SSM

Topics about the Software of Revolution Pi
Post Reply
Guest11740
Posts: 3
Joined: 11 Oct 2021, 15:07

Port forwarding from Codesys with AWS SSM

Post by Guest11740 »

Dear all,

I want to remote control a Codesys PLC with the codesys studio. For that, i am using the following setup: The PLC is connected via Ethernet to the RevPi Connect and the RevPi to the public internet.
I want to use port forwarding with AWS Systems Manager (SSM) for forwarding the port 11740 of the PLC to my local PC. To do so, I installed the SSM Agent on the RevPi and set up the tunnel to my local PC. The problem is that I cannot forward directly the port 11740 of the PLC via SSM but only the local host of the RevPi.

1) Is there a way to set the endpoint of SSM to the IP address of the PLC in order to forward directly port 11740 to my local PC?
2) Can I configure the RevPi settings (e.g. iptables) to manually forward the port 11740 from the PLC to the RevPi and transfer it from there to the SSM port forwarding?

Thanks to all for answering on that topic!
User avatar
nicolaiB
KUNBUS
Posts: 931
Joined: 21 Jun 2018, 10:33
Location: Berlin
Contact:

Re: Port forwarding from Codesys with AWS SSM

Post by nicolaiB »

Hi Guest,

unfortunately it is not possible to use a remote host with AWS SSM port forwarding. But as you already figured out, you can create a local port forwarding from your PLC to your RevPi and point AWS SSM to your local port.
For a quick test you could use the following

Code: Select all

echo 1  | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat - PREROUTING -i eth0 -p tcp -m tcp --dport 11740  -j DNAT --to-destination 127.0.0.1:11740 
sudo iptables -t nat - POSTROUTING -o eth0 -j MASQUERADE

Nicolai
Guest11740
Posts: 3
Joined: 11 Oct 2021, 15:07

Re: Port forwarding from Codesys with AWS SSM

Post by Guest11740 »

Hi Nicolai,

thanks a lot for your support! Unfortunately, I have not yet managed to establish the connection.
Below there is a sketch of the set up I use.
SSM_Kunbus.png
SSM_Kunbus.png (49.01 KiB) Viewed 3298 times
The port forwarding with SSM agent between service PC and RevPi is working. I checked that by forwarding port 22 and using a SSH connection.
However, using SSM + iptables port forwarding the connection cannot be established by using this iptables rules:

Code: Select all

echo 1  | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 11740 -j DNAT --to-destination 127.0.0.1:11740
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Since the connection is always started from the Service PC I turned around the direction of the rules:

Code: Select all

echo 1  | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A PREROUTING -p tcp --dport 11740 -j DNAT --to-destination 192.168.2.20:11740
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The connection via SSM still didn't work. But I was able to connect to the PLC if I specified within Codesys Studio the RevPi as the target system. So the port forwarding with iptables from PLC to RevPi should work. Can you see why it is still not possible to use the SSM port forwarding?

Thank you very much for your support!
User avatar
nicolaiB
KUNBUS
Posts: 931
Joined: 21 Jun 2018, 10:33
Location: Berlin
Contact:

Re: Port forwarding from Codesys with AWS SSM

Post by nicolaiB »

Hi Guest11740

Good catch! You're right, The destination IP in my iptables example must be the IP of the PLC.

Could you please test if the port is shown as open by using a port scanner like nmap?

Code: Select all

# install nmap package
sudo apt install -y nmap

# scan port on localhost 
nmap -p11470 127.0.0.1
nmap -p11470 localhost

# scan port on external (wifi) interface
nmap -p11470 192.168.50.200

Nicolai
Guest11740
Posts: 3
Joined: 11 Oct 2021, 15:07

Re: Port forwarding from Codesys with AWS SSM

Post by Guest11740 »

All ports are closed:
Ports_Kunbus.PNG
Ports_Kunbus.PNG (28.24 KiB) Viewed 3289 times
User avatar
nicolaiB
KUNBUS
Posts: 931
Joined: 21 Jun 2018, 10:33
Location: Berlin
Contact:

Re: Port forwarding from Codesys with AWS SSM

Post by nicolaiB »

That's strange. Which IP did you use in your (successfull) test with CodeSys?
Post Reply