Page 1 of 1

Port forwarding from Codesys with AWS SSM

Posted: 11 Oct 2021, 15:31
by Guest11740
Dear all,

I want to remote control a Codesys PLC with the codesys studio. For that, i am using the following setup: The PLC is connected via Ethernet to the RevPi Connect and the RevPi to the public internet.
I want to use port forwarding with AWS Systems Manager (SSM) for forwarding the port 11740 of the PLC to my local PC. To do so, I installed the SSM Agent on the RevPi and set up the tunnel to my local PC. The problem is that I cannot forward directly the port 11740 of the PLC via SSM but only the local host of the RevPi.

1) Is there a way to set the endpoint of SSM to the IP address of the PLC in order to forward directly port 11740 to my local PC?
2) Can I configure the RevPi settings (e.g. iptables) to manually forward the port 11740 from the PLC to the RevPi and transfer it from there to the SSM port forwarding?

Thanks to all for answering on that topic!

Re: Port forwarding from Codesys with AWS SSM

Posted: 11 Oct 2021, 15:57
by nicolaiB
Hi Guest,

unfortunately it is not possible to use a remote host with AWS SSM port forwarding. But as you already figured out, you can create a local port forwarding from your PLC to your RevPi and point AWS SSM to your local port.
For a quick test you could use the following

Code: Select all

echo 1  | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat - PREROUTING -i eth0 -p tcp -m tcp --dport 11740  -j DNAT --to-destination 127.0.0.1:11740 
sudo iptables -t nat - POSTROUTING -o eth0 -j MASQUERADE

Nicolai

Re: Port forwarding from Codesys with AWS SSM

Posted: 12 Oct 2021, 16:27
by Guest11740
Hi Nicolai,

thanks a lot for your support! Unfortunately, I have not yet managed to establish the connection.
Below there is a sketch of the set up I use.
SSM_Kunbus.png
SSM_Kunbus.png (49.01 KiB) Viewed 3303 times
The port forwarding with SSM agent between service PC and RevPi is working. I checked that by forwarding port 22 and using a SSH connection.
However, using SSM + iptables port forwarding the connection cannot be established by using this iptables rules:

Code: Select all

echo 1  | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 11740 -j DNAT --to-destination 127.0.0.1:11740
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Since the connection is always started from the Service PC I turned around the direction of the rules:

Code: Select all

echo 1  | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A PREROUTING -p tcp --dport 11740 -j DNAT --to-destination 192.168.2.20:11740
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The connection via SSM still didn't work. But I was able to connect to the PLC if I specified within Codesys Studio the RevPi as the target system. So the port forwarding with iptables from PLC to RevPi should work. Can you see why it is still not possible to use the SSM port forwarding?

Thank you very much for your support!

Re: Port forwarding from Codesys with AWS SSM

Posted: 12 Oct 2021, 17:22
by nicolaiB
Hi Guest11740

Good catch! You're right, The destination IP in my iptables example must be the IP of the PLC.

Could you please test if the port is shown as open by using a port scanner like nmap?

Code: Select all

# install nmap package
sudo apt install -y nmap

# scan port on localhost 
nmap -p11470 127.0.0.1
nmap -p11470 localhost

# scan port on external (wifi) interface
nmap -p11470 192.168.50.200

Nicolai

Re: Port forwarding from Codesys with AWS SSM

Posted: 12 Oct 2021, 17:42
by Guest11740
All ports are closed:
Ports_Kunbus.PNG
Ports_Kunbus.PNG (28.24 KiB) Viewed 3294 times

Re: Port forwarding from Codesys with AWS SSM

Posted: 12 Oct 2021, 17:57
by nicolaiB
That's strange. Which IP did you use in your (successfull) test with CodeSys?