MBLogic for an open world in automation
Standard Ethernet protocols use what are called "ports". These are numbers which are part of the Ethernet packets which are used to route them to the correct application program. Both ends of the connection (client and server) have to use an agreed upon port number in order to communicate with each other. The server must "bind to the port number" (request the number from the operating system) before it can listen on that port for requests. Clients on the other hand do not have to bind to a port and are free to send requests to any port.
The standard port number for Modbus/TCP is 502. It is possible to use a different port, provided both client and server can be set to use a different port number. In some cases, this isn't possible, and in most cases other cases it is most convenient to just use the standard port number.
With most operating systems, ports numbers less than 1024 are reserved for standard system services such as e-mail servers, web servers, etc. and are not available to ordinary applications. This poses a problem with Modbus/TCP. Either the Modbus/TCP server needs to gain (temporarily at least) elevated priviledges, or else the incoming messages on port 502 need to be re-routed to a different port. The second choice is often the simplest, and poses the fewest security risks.
However, it is important to note that if you don't need to use the Modbus server, or if you do need it but can run it on an alternate port number, then you don't need to redirect the port. If the remote client is capable of using an alternate port, that is usually the best solution.
Linux has a built-in facility called "iptables" which can be used to block, re-route and redirect communications. Redirecting traffic arriving on port 502 to a different can easily be done by using iptables. For example, to redirect incoming traffic on port 502 to port 8502:
iptables -t nat -I PREROUTING -p tcp --dport 502 -j REDIRECT --to-port 8502
Depending upon how security is set up on your distro, you may need to either log in as "root", or (preferably) use "sudo". For example:
sudo iptables -t nat -I PREROUTING -p tcp --dport 502 -j REDIRECT --to-port 8502
To save this change permanently so that it is automatically loaded when the computer boots up (assuming you use sudo and have nano installed):
iptables -t nat -I PREROUTING -p tcp --dport 502 -j REDIRECT --to-port 8502
sudo sh -c "iptables-save > /etc/iptables.rules"
sudo nano /etc/network/interfaces
The above example ends with starting the nano editor (you can use a different editor if you wish) to edit the "interfaces" file. This file stores the Ethernet configuration. Add the following line to the end of the section for the Ethernet port which will be used for Modbus/TCP (typically "eth0").
pre-up iptables-restore < /etc/iptables.rules
Save the configuation file and exit nano. Now Ethernet packets coming from outside the computer to port 502 will be redirected to port 8502. However, packets originating inside the same computer (e.g. 'localhost') will not be redirected. Anything originating on the same computer will need to be sent to port 8502.
Microsoft Windows does not offer any built-in security for system ports, so port 502 can be used directly without redirection. However, if you are using any server (on any port), you may need to adjust the firewall (if one is installed) to allow incoming connections.