On Jun 08, 2009, Suno Ano wrote: > I am using http://en.wikipedia.org/wiki/Openvz and thus I have a bunch > of VEs (Virtual Environments) running atop the HN (Hardware Node) -- > each VE then appears/feels like a stand-alone Linux. The systems are > Debian -- HN and VEs. > > Note: With OpenVZ there is always just one HN and usually one or more > VEs. Of course, there might be no VE at all but ... > > I do all the firewalling on the HN i.e. the VEs are protected by using > iptables rules within the FORWARD chain of the filter table on the HN. > There is no need to do additional firewalling within the VEs itself. > > Now that this is working excellent, I want to plug fwknop into that > setup of mine. Of course, I do not want to start firewalling within the > VEs, rather, it must be possible to only run fwknopd on the HN and > protect all VEs with this one instance of fwknopd on the HN.
Understood, and yes, fwknop can support this (see below). > I already installed fwknop-server (the Debian package containing > fwknopd) on the HN. I also started reading man files and the docu on > http://www.cipherdyne.org/fwknop/ as well as the config files that come > with fwknop-{server,client}. > > So far so good ... I figure it is possible to only run fwknopd on the HN > and enable the setup to use FORWARD. /etc/fwknop/fwknop.conf says: > > ### Allow SPA clients to request access to services through an > ### iptables firewall instead of just to it (i.e. access through the > ### FWKNOP_FORWARD chain instead of the INPUT chain). This also > ### requires the ENABLE_FORWARD_ACCESS variable to be set in the > ### access.conf file for the specific SOURCE stanzas that should be > ### allowed for forwarding access. > ENABLE_IPT_FORWARDING N; > > So I set ENABLE_IPT_FORWARDING N; to ENABLE_IPT_FORWARDING Y; and then > ... well, that is where I am not sure anymore how to proceed. My current > understanding is to put ENABLE_FORWARD_ACCESS into > /etc/fwknop/access.conf. However, looking at the examples in > /usr/share/doc/fwknop-server/README.ACCESS I could not fine an example > that would mention my use case. > > Can anyone help me to reach my goal i.e. integrate fwknopd into my > forwarding setup? I understand that the documentation is lacking in this area (I'm working on this). Here is how to get this working: - In the /etc/fwknop/fwknop.conf file, set: ENABLE_IPT_FORWARDING Y; You mentioned this above, and this is correct*. - In the /etc/fwknop/access.conf file, create a SOURCE stanza like this: SOURCE: ANY; OPEN_PORTS: tcp/22; ENABLE_FORWARD_ACCESS: Y; FW_ACCESS_TIMEOUT: 30; KEY: __CHANGEME__; (Or you can set the GPG_* variables too if you use GnuPG to encrypt incoming SPA packets from the fwknop client.) The key is the ENABLE_FORWARD_ACCESS variable. Then restart fwknopd: # /etc/init.d/fwknop restart Now, to request SSH access to one of the internal VE's use the fwknop client as follows - assuming that 123.1.2.3 is the external IP of the HN (where fwknopd is configured to sniff traffic), and 192.168.10.2 is an IP of a VE that you want to reach over SSH: $ fwknop -A tcp/22 --NAT-access 192.168.10.2:55000 -R -D 123.1.2.3 What this will do is allow you to SSH to port 55000 on 123.1.2.3 (use -p on the SSH command line), and this connection will be NAT'd through to the internal VE on 192.168.10.2. If you want to get more fancy, you can use the --NAT-rand-port option like so: $ fwknop -A tcp/22 --NAT-access 192.168.10.2 --NAT-rand-port -R -D 123.1.2.3 This will have the fwknop client request access to SSH via a randomly assigned port - which fwknop will print on the command line so you can see it - and then you can make your SSH connection to this port. > Also, I would like to also protect the sshd running on the HN not just > the sshds running within the VEs. Is that possible with just one fwknopd > running on the HN? Sure, in this case the best thing to do is create another SOURCE stanza identical to the above in the access.conf file, but just leave out the ENABLE_FORWARD_ACCESS variable. Thanks, and let me know if there are any issues. -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271 [*] Depending on your routing setup into the VE's, you may also need to set: ENABLE_IPT_SNAT Y; However, this is unlikely since it is usually only necessary if the default route on a system routes traffic out a different interface than where the incoming connection is made. For now, just keep ENABLE_IPT_FORWARDING set to "Y". ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
