Hello all,
This is my first time trying to set up fwknopd; I'm installing into a new
Fedora 13 box. I've been searching the archives and other Web sources, but
haven't been able to come across this particular problem. Any assistance would
be greatly appreciated.
Essentially, I can get fwknopd to add a rule to the iptables firewall but it
fails to remove the rule(s) after they expire. I don't recall seeing this in
the instructions, but I found that I had to define the FWKNOP_INPUT chain
manually in the iptables configuration, though fwknop takes care of adding the
rules itself.
This is pretty much a virgin box, with very little changed other than updating
packages with yum and adding a few firewall rules. It's currently on my home
network but will be eventually hosted in a proper environment. I mention this
because I'm not entirely sure what the correct value of the 'hostname'
parameter should be in fwknop.conf; right now I have it set to 'localhost'.
That file is essentially unchanged from the RPM install, except that I set the
following:
EMAIL_ADDRESS sysad...@xxxxxx;
ENABLE_PROC_IP_FORWARD N;
ENABLE_VOLUNTARY_EXITS Y; # have tried with this set 'N' as well
LOCALE NONE;
ALERTING_METHODS noemail;
IPT_EXEC_SLEEP 1;
IPT_EXEC_STYLE waitpid; # default, listed in case someone asks
The server is on the local network as: 10.0.1.13
My workstation is the "remote" client: 10.0.1.10
[client]$ fwknop -D 10.0.1.13 -s -A tcp/1001
[+] Starting fwknop client (SPA mode)...
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.
Encryption Key:
[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:
Random data: 6294295835114171
Username: xxxxx
Timestamp: 1279994273
Version: 1.9.12
Type: 1 (access mode)
Access: 0.0.0.0,tcp/1001
SHA256 digest: 0xxTlyesbtI2SYWfBqK9WsxPcAYDnJlp2ep49rgPcNA
[+] Sending 182 byte message to 10.0.1.13 over udp/62201...
# about 40 seconds later:
[client]$ fwknop -Last-host 10.0.1.13
... same as above ...
=====================
installed packages:
kernel 2.6.33.6-147.fc13.x86_64
iptables 1.4.7-2.fc13.x86_64
perl 5.10.1-114.fc13.x86_64
fwknop 1.9.12-1.x86_64
=====================
/etc/fwknop/access.conf:
SOURCE: ANY;
OPEN_PORTS: tcp/22, tcp/1001;
KEY: xxxx;
FW_ACCESS_TIMEOUT: 30;
=====================
/etc/sysconfig/iptables:
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FWKNOP_INPUT - [0:0]
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport -m state --state NEW --dports 80,443 -j
ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -s 10.0.1.0/24 --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
=====================
syslog:
kernel: device eth0 entered promiscuous mode
fwknopd: received valid Rijndael encrypted packet from 10.0.1.10, remote user:
xxxxx, client version: 1.9.12 (SOURCE line num: 25)
fwknopd: add FWKNOP_INPUT 10.0.1.10 -> 0.0.0.0/0(tcp/1001) ACCEPT rule 30 sec
fwknop(knoptm): exceeded max removal tries for 10.0.1.10 ->
0.0.0.0/0(tcp/1001), deleting from cache
fwknopd: received valid Rijndael
encrypted packet from 10.0.1.10, remote user: xxxxx, client version:
1.9.12 (SOURCE line num: 25)
fwknopd: add FWKNOP_INPUT 10.0.1.10 -> 0.0.0.0/0(tcp/1001) ACCEPT rule 30 sec
fwknop(knoptm): exceeded max removal tries for 10.0.1.10 ->
0.0.0.0/0(tcp/1001), deleting from cache
=====================
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
FWKNOP_INPUT all -- anywhere anywhere #note: added by fwknopd
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere #note: -i lo rule
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp multiport dports
http,https state NEW
ACCEPT tcp -- 10.0.1.0/24 anywhere tcp dpt:ssh state NEW
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
=====================
# iptables -L FWKNOP_INPUT
Chain FWKNOP_INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- 10.0.1.10 anywhere tcp dpt:1001
ACCEPT tcp -- 10.0.1.10 anywhere tcp dpt:1001
=====================
`knoptm --debug` output:
Received line: 1279996038 30 10.0.1.10 0 0.0.0.0/0 1001 tcp filter FWKNOP_INPUT
ACCEPT src 0.0.0.0/0 0 TkE= 0
...
[+] Expiring rule: 1279996038 30 10.0.1.10 0 0.0.0.0/0 1001 tcp filter
FWKNOP_INPUT ACCEPT src 0.0.0.0/0 0 TkE= 0
[+] IPTables::Parse::VERSION 0.7
[+] IPTables::Parse::exec_iptables(waitpid()) /sbin/iptables -t -filter -v- n
-L FWKNOP_INPUT
[+] IPTables::Parse::exec_iptables() sleep seconds: 1
[+] IPTables::Parse: sleeping for 1 seconds before executing iptables command.
[+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x1d494f8)
iptables command stdout:
iptables command stderr:
[-] exceeded max removal tries for 10.0.1.10 -> 0.0.0.0/0(tcp/1001), deleting
from cache
(the above block is repeated multiple times prior to the 'exceeded' message
line)
Thanks in advance!
-- Will
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
