Join Log in
Score:0
avatar Server

NAT port to internal node

ru flag
bas

We are working with a PLC (phoenix plc next) which connects to a profinet (and profibus) network. Due to lack of tooling and being unable to rewire things to our needs (the PLC is integrated in our machine) we are looking for different ways to reach some https webserver on the profibus master.

So from some distance, we have a windows PC. This PC is connected through a switch to a PLC. This PLC is running on a linux distribution. The PLC is connected to profinet master and profibus master.

  • WinPC (192.168.192.200)
  • PLC external nic (192.168.192.202)
  • PLC internal nic (192.168.2.2)
  • Profinet master (192.168.2.3)
  • Profibus master (192.168.2.4)

What would be absolutely brilliant, if we were able to open a web browser on the windows PC, and connect to the profibus master (where the PLC would simply NAT the packets to profibus master).

I have root access on the PLC, so I thought I could manage this by using iptables. Since we don't care about security whatsoever, I set all policies to accept (INPUT, OUTPUT, FORWARD). The only step I then have to take (naive me...) is the NAT the packet to the destination. Unfortunately it's not working.

my current output of iptables -S

root@axcf3152:/opt/plcnext/# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

and my nat table

root@axcf3152:/opt/plcnext/# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       icmp --  anywhere             anywhere             to:192.168.2.4
DNAT       tcp  --  anywhere             anywhere             tcp dpt:6666 to:192.168.2.4:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5555 to:192.168.2.3:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:4444 to:192.168.2.3:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:3333 to:192.168.2.4:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:6666 to:192.168.2.4:443

So basically, all I did besides setting all policies to ACCEPT is add a few rules for nat:

iptables -t nat -A PREROUTING -p tcp --dport 6666 -j DNAT --to-destination 192.168.2.4:443

And then for both flavors (http (80), https (443)), and for both profinet master (192.168.2.3) and profibus master (192.168.2.4)

If I understand all I read about iptables this evening I don't need to bother with adding rules for filter table 'FORWARD' since I am accepting everything (super unsafe, but we don't care for this test setup).

The only thing I am not sure about, is if (or when) I also need to nat POSTROUTING.

Anyway, when I open the webpage https://192.168.192.202:6666 or any of its flavors, the page can't load (connection refused).

Any help would be GREATLY appreciated!!

UPDATE:

issuing the following commands let me ping the profibus master (I THINK)

iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
iptables -t nat -A PREROUTING -p icmp -j DNAT --to-destination 192.168.2.4
iptables -t filter -A FORWARD -p icmp -d 192.168.2.4 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

when I now ping on windows PC to 192.168.192.202 I get replies. I also see the iptables -t nat -L -v increase the stats on this rule (#packets + bytes increase when I submit new ping commands).

I think this proves that the profinet master is replying the ping (since I reject icmp on the PLC itself now)

Questions:

  • Do I need the FORWARD rule ? Or was my assumption correct that I am allowing everything and is this rule redundant?
  • Do I need to add the MASQUARADE? I still have a hard time understanding what this actually does (as many others it seems by the amount of questions there are on the web)
  • Is there anything missing from my iptables experiment that would explain why https is not being forwarded? Or does everything look fine and would the issue be in the actual profibus master (not hosting the webserver there as vendor claims e.g.)

UPDATE2:

The icmp rule works from time to time. When I delete all rules from iptables and try to reproduce the steps, I doesn't always work. iptables is harder than I thought it would be...

35
0 + 0
nat
Brennen Smith avatar
nz flag
Brennen Smith
Have you enabled IPv4 forwarding within the kernel? It's disabled by default: Add the line: `net.ipv4.ip_forward=1` to `/etc/sysctl.conf` and then reload with `sysctl -p`. Does the ICMP DNAT rule work presently?
0
Reply
ru flag
bas
@BrennenSmith I did as you suggested. Pretty sure it was disabled. I uncommented `#net/ipv4/ip_forward=1` and reloaded with `sysctl -p`. It outputs (among other settings) `net.ipv4.ip_forward=1`. I also updated my question with some "proof" I think that icmp is being forwarded correctly. Still not succeeding in nat-ing the https requests
0
Reply
djdomi avatar
za flag
djdomi
i am unsure why you not want just to use nginx as reverse proxy instead of exposing the server service?
0
Reply
ru flag
bas
@djdomi can you eloborate if there is an easier way to achieve this?
0
Reply
djdomi avatar
za flag
djdomi
if i understood the question all you use is a Webserver that sits inside the lan somewhere, and you want to use it via a external accessible place. this is a common way to use nginx as reverse proxy
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.