On Jul 24, 2010, William Price wrote: > Hello all,
Hi Will, > This is my first time trying to set up fwknopd; I'm installing into a new > Fedora 13 box. I've been searching the archives and other Web sources, but > haven't been able to come across this particular problem. Any assistance > would be greatly appreciated. This is an interesting one. > Essentially, I can get fwknopd to add a rule to the iptables firewall but it > fails to remove the rule(s) after they expire. I don't recall seeing this in > the instructions, but I found that I had to define the FWKNOP_INPUT chain > manually in the iptables configuration, though fwknop takes care of adding > the rules itself. Typically the FWKNOP_INPUT chain is not created by fwknopd until it actually needs to be there - i.e. when it receives the first valid SPA packet. And, fwknopd runs a check to see if the FWKNOP_INPUT chain is there whenever an SPA packet is received because it is possible that an iptables-restore (or usage of "iptables -X") could have removed the chain out from under fwknopd as it runs. > This is pretty much a virgin box, with very little changed other than > updating packages with yum and adding a few firewall rules. It's currently > on my home network but will be eventually hosted in a proper environment. I > mention this because I'm not entirely sure what the correct value of the > 'hostname' parameter should be in fwknop.conf; right now I have it set to > 'localhost'. That file is essentially unchanged from the RPM install, except > that I set the following: > > EMAIL_ADDRESS sysad...@xxxxxx; > ENABLE_PROC_IP_FORWARD N; > ENABLE_VOLUNTARY_EXITS Y; # have tried with this set 'N' as well > LOCALE NONE; > ALERTING_METHODS noemail; > IPT_EXEC_SLEEP 1; > IPT_EXEC_STYLE waitpid; # default, listed in case someone asks Those settings look fine. We'll get things working without enabling the ENABLE_VOLUNTARY_EXITS feature - I would recommend setting that to N. More below... > The server is on the local network as: 10.0.1.13 > My workstation is the "remote" client: 10.0.1.10 > > [client]$ fwknop -D 10.0.1.13 -s -A tcp/1001 > > [+] Starting fwknop client (SPA mode)... > [+] Enter an encryption key. This key must match a key in the file > /etc/fwknop/access.conf on the remote system. > > Encryption Key: > > [+] Building encrypted Single Packet Authorization (SPA) message... > [+] Packet fields: > > Random data: 6294295835114171 > Username: xxxxx > Timestamp: 1279994273 > Version: 1.9.12 > Type: 1 (access mode) > Access: 0.0.0.0,tcp/1001 > SHA256 digest: 0xxTlyesbtI2SYWfBqK9WsxPcAYDnJlp2ep49rgPcNA > > [+] Sending 182 byte message to 10.0.1.13 over udp/62201... > > # about 40 seconds later: > [client]$ fwknop -Last-host 10.0.1.13 > ... same as above ... > > > ===================== > installed packages: > > kernel 2.6.33.6-147.fc13.x86_64 > iptables 1.4.7-2.fc13.x86_64 > > perl 5.10.1-114.fc13.x86_64 > > fwknop 1.9.12-1.x86_64 > > > ===================== > /etc/fwknop/access.conf: > > SOURCE: ANY; > OPEN_PORTS: tcp/22, tcp/1001; > KEY: xxxx; > FW_ACCESS_TIMEOUT: 30; > > ===================== > > /etc/sysconfig/iptables: > > *filter > :FORWARD ACCEPT [0:0] > :INPUT ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :FWKNOP_INPUT - [0:0] > > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > > -A INPUT -p tcp -m tcp -m state --state NEW --dport 25 -j ACCEPT > -A INPUT -p tcp -m tcp -m multiport -m state --state NEW --dports 80,443 -j > ACCEPT > -A INPUT -p tcp -m tcp -m state --state NEW -s 10.0.1.0/24 --dport 22 -j > ACCEPT > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > > > > ===================== > > syslog: > > kernel: device eth0 entered promiscuous mode > fwknopd: received valid Rijndael encrypted packet from 10.0.1.10, remote > user: xxxxx, client version: 1.9.12 (SOURCE line num: 25) > fwknopd: add FWKNOP_INPUT 10.0.1.10 -> 0.0.0.0/0(tcp/1001) ACCEPT rule 30 sec > fwknop(knoptm): exceeded max removal tries for 10.0.1.10 -> > 0.0.0.0/0(tcp/1001), deleting from cache > fwknopd: received valid Rijndael > encrypted packet from 10.0.1.10, remote user: xxxxx, client version: > 1.9.12 (SOURCE line num: 25) > > fwknopd: add FWKNOP_INPUT 10.0.1.10 -> 0.0.0.0/0(tcp/1001) ACCEPT rule 30 sec > > fwknop(knoptm): exceeded max removal tries for 10.0.1.10 -> > 0.0.0.0/0(tcp/1001), deleting from cache > > > ===================== > # iptables -L INPUT > Chain INPUT (policy ACCEPT) > target prot opt source destination > FWKNOP_INPUT all -- anywhere anywhere #note: added by fwknopd > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere > ACCEPT all -- anywhere anywhere #note: -i lo rule > ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW > ACCEPT tcp -- anywhere anywhere tcp multiport dports > http,https state NEW > ACCEPT tcp -- 10.0.1.0/24 anywhere tcp dpt:ssh state NEW > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > > ===================== > > # iptables -L FWKNOP_INPUT > > Chain FWKNOP_INPUT (2 references) > > target prot opt source destination > > ACCEPT tcp -- 10.0.1.10 anywhere tcp dpt:1001 > > ACCEPT tcp -- 10.0.1.10 anywhere tcp dpt:1001 > > > ===================== > `knoptm --debug` output: > > Received line: 1279996038 30 10.0.1.10 0 0.0.0.0/0 1001 tcp filter > FWKNOP_INPUT ACCEPT src 0.0.0.0/0 0 TkE= 0 > > ... > > [+] Expiring rule: 1279996038 30 10.0.1.10 0 0.0.0.0/0 1001 tcp filter > FWKNOP_INPUT ACCEPT src 0.0.0.0/0 0 TkE= 0 > [+] IPTables::Parse::VERSION 0.7 > [+] IPTables::Parse::exec_iptables(waitpid()) /sbin/iptables -t -filter -v- n > -L FWKNOP_INPUT > [+] IPTables::Parse::exec_iptables() sleep seconds: 1 > [+] IPTables::Parse: sleeping for 1 seconds before executing iptables command. > [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x1d494f8) > iptables command stdout: > iptables command stderr: > [-] exceeded max removal tries for 10.0.1.10 -> 0.0.0.0/0(tcp/1001), deleting > from cache > > (the above block is repeated multiple times prior to the 'exceeded' message > line) It occurs to me that I need to add more verbose debug output in the IPTables::ChainMgr and IPTables::Parse modules so that we can have more visibility. It looks like find_ip_rule() cannot actually find the rule that was added by fwknopd. However, could you run the fwknop test suite on that system and send me the anonymized output? You can do this by downloading the fwknop-1.9.12 sources, go to the test/ directory, then run: # ./fwknop_test.pl And then run: # ./fwknop_test.pl -P The end result will be a tarball of the test results in the test/ directory. Can you send that to me? Thanks, --Mike > Thanks in advance! > -- Will ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
