Using Ziti to "make Zero Trust something that is not, without touching it"

Support General Questions
41

I've tried with no results.

In the afternoon I'll try starting from the beginning another time and if it won't work I think I'll try another way (if you have something to suggest as an alternative).

Do I need to add ziti-client in the 10.0.0.0/8 subnet? Like following:

ziti-client:
        image: openziti/ziti-router:1.1.9
        container_name: ziti-client
        depends_on:
            - ziti-ctrl
        expose:
            -   3022
        networks:
            testnet:
                ipv4_address: ${HMISIEMENS_ADDRESS:-172.19.1.2}
            clientnet:
        environment:
            ZITI_CTRL_ADVERTISED_ADDRESS: ziti-controller
            ZITI_ENROLL_TOKEN: tkn
            ZITI_ROUTER_NAME: tproxy
        volumes:
            -   ziti-client:/ziti-router
        dns:
            -   127.0.0.1
            -   1.1.1.1
        user: root
        cap_add:
            -   NET_ADMIN

  siemensclient:
    build:
      context: ./SiemensClient
      dockerfile: Dockerfile
    stdin_open: true
    tty: true
    environment:
      PLCSIEMENS_ADDRESS: ${PLCSIEMENS_ADDRESS:-10.11.12.13}
      PLCSIEMENS_PORT: ${PLCSIEMENS_PORT:-102}
      PLCSIEMENS_RACK: ${PLCSIEMENS_RACK:-0}
      PLCSIEMENS_SLOT: ${PLCSIEMENS_SLOT:-1}
    container_name: ${HMISIEMENS_CONTAINER_NAME:-siemensclient}
    # networks:
    #  testnet:
      #  ipv4_address: ${HMISIEMENS_ADDRESS:-172.19.1.2}
    network_mode: service:ziti-client
    command: ["python3", "SiemensClient.py"]

In ziti edge config I've the following:

{
    "addresses": [
        "10.0.0.0/8"
    ],
    "portRanges": [
        {
            "high": 102,
            "low": 102
        }
    ],
    "protocols": [
        "tcp",
        "udp"
    ]
}

EDIT:
FYI repeating from the beginning every single step i obtained a new output from the client-side tunneler.

ziti-client  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:101","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.New","level":"info","msg":"tproxy config: lanIf            =  []","time":"2024-09-03T16:39:44.345Z"}
ziti-client  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:102","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.New","level":"info","msg":"tproxy config: diverter         =  []","time":"2024-09-03T16:39:44.345Z"}
ziti-client  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:103","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.New","level":"info","msg":"tproxy config: udpIdleTimeout   =  [5m0s]","time":"2024-09-03T16:39:44.346Z"}
ziti-client  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:104","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.New","level":"info","msg":"tproxy config: udpCheckInterval =  [30s]","time":"2024-09-03T16:39:44.346Z"}
ziti-client  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:278","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.(*interceptor).addIptablesChain","level":"info","msg":"added iptables 'mangle' link 'PREROUTING' --\u003e 'NF-INTERCEPT'","time":"2024-09-03T16:39:44.368Z"}
ziti-client  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:144","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.New","level":"info","msg":"no lan interface specified with '-lanIf'. please ensure firewall accepts intercepted service addresses","time":"2024-09-03T16:39:44.368Z"}
42

I am encouraged by the successful test I just performed. I substituted 10.11.12.13 for the www.ziti.internal intercept address that I was using in this demonstration script that fits your use case.

Here's the intercept.v1 config I modified in the script.

{"protocols":["tcp"],"addresses":["10.11.12.13"], "portRanges":[{"low":80, "high":80}]}

Additionally, I changed the URL used by the "web-client" container running wget to match the intercept.

You shared an intercept.v1 config with address 10.0.0.0/8. This is valid, but also causes all IP addresses in that range to be intercepted whether or not they match a Ziti service. If your goal is to intercept an entire subnet you would then use this approach. If your goal is to intercept a single IP you can represent it the way I showed in this post to modify the demo script.

I'm guessing the firewall is not perfectly aligned and is blocking something. Will you share more insight into where you are inserting the iptables rules that you shared, .e.g. in the Docker host's network namespace, in a firewall container in the Docker project?

43

Since I restarted the whole process, there are no iptables rules and there are no firewall containers (IDK if docker uses his own firewall implicitly)

I've no idea of why, but we have the same configuration and it does not work. I'll use the script you shared to check what's happening and try to find out the reason.

44

It actually works!
I'm gonna try all this script only changing names and web-server/client with my plc/hmi. I guess it should work, let's see...

EDIT: IT WORKS FINALLY. The only thing that's not clear is why previous configuration doesn't work. Probably making several attemps I missconfigured something that was diffiult to notice.

Thanks a lot for all time you spent to make me reaching the goal. Appreciate it!

2 Likes