A Working fwknopd installation using a mixture of v1.9 and v2.0
Summary
[+] NOT heavily Tested and currently NOT working:
c++ 2.0 client cannot connect to perl 1.9 server
[+] Tested and currently WORKING:
perl 1.9 client connecting to perl 1.9 server
perl 1.9 client connecting to c++ 2.0 server - with snat dnat
force_nat all perfect
c++ 2.0 client connecting to c++ 2.0 server - with snat dnat
force_nat all perfect
Links
fwknop homepage -www.cipherdyne.org/fwknop/
Environment
For this test I have used four machines:
1 x Client workstation with both fwknop v1.9 and v2.0 installed on
it
1 x v2.0 fwknopd server with three network interfaces
eth0 connected to the internet with and ip address of 192.168.1.1
eth1 connected to internal subnet with an ip address of 192.168.2.1
eth2 connected to another internal subnet with an ip address of
192.168.3.1
1 x SSH server connected to the fwknopd servers eth1 and with an ip
address of 192.168.2.2
1 x SSH server connected to the fwknopd servers eth2 and with an ip
address of 192.168.3.2
FWKNOPD Port Mapping
Port Protocol Description
80400 fwknop Knock Port
80043 ssh SSH fwknop-server
80044 ssh SSH server1 – 192.168.2.2 connected via eth1
80045 ssh SSH server2 – 192.168.3.2 connected via eth2
fwknopd.conf
PCAP_INTF eth0;
ENABLE_PCAP_PROMISC Y;
PCAP_FILTER udp port 80400;
ENABLE_SPA_PACKET_AGING N;
ENABLE_IPT_FORWARDING Y;
ENABLE_IPT_LOCAL_NAT Y;
ENABLE_IPT_SNAT N;
SNAT_TRANSLATE_IP 192.168.1.1;
ENABLE_IPT_OUTPUT Y;
NOTE SPA_PACKET_AGING and SNAT currently not set
access.conf
SOURCE: ANY;
REQUIRE_USERNAME: fwknop-server;
OPEN_PORTS: tcp/80043;
KEY: password1;
FW_ACCESS_TIMEOUT: 3600;
SOURCE: ANY;
REQUIRE_USERNAME: server1;
OPEN_PORTS: tcp/80044;
KEY: password2;
FORCE_NAT 192.168.2.2 22;
FW_ACCESS_TIMEOUT: 3600;
SOURCE: ANY;
REQUIRE_USERNAME: server2;
OPEN_PORTS: tcp/80045;
KEY: password3;
FORCE_NAT 192.168.3.2 22
FW_ACCESS_TIMEOUT: 3600;
keyfiles
knockfwknop-server
<yourdomain.com>:password1
knockserver1
<yourdomain.com>:password2
knockserver2
<yourdomain.com>:password3
fwknop client commands
Perl Version 1.9
fwknop -D <yourdomain.com> -A tcp/80043 --Server-port 80400 -s --
get-key knockfwknop-server --Spoof-user fwknop-server
ssh <username>@<yourdomain.com> -p80043
fwknop -D <yourdomain.com> -A tcp/80044 --Server-port 80400 -s --
get-key knockserver1 --Spoof-user server1
ssh <username>@<yourdomain.com> -p80044
fwknop -D <yourdomain.com> -A tcp/80045 --Server-port 80400 -s --
get-key knockserver2 --Spoof-user server2
ssh <username>@<yourdomain.com> -p80045
c++ Version 2.0
fwknop -D <yourdomain.com> -A tcp/80043 -p 80400 -s -U fwknop-
server --get-key knockfwknop-server
ssh <username>@<yourdomain.com> -p80043
fwknop -D <yourdomain.com> -A tcp/80044 -p 80400 -s -U server1 --
get-key knockserver1
ssh <username>@<yourdomain.com> -p80044
fwknop -D <yourdomain.com> -A tcp/80045 -p 80400 -s -U server2 --
get-key knockserver2
ssh <username>@<yourdomain.com> -p80045
resulting daemon.log entries
For port 80043:
fwknopd[19265]: (stanza #1) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[19265]: Added Rule to FWKNOP_INPUT for XXX.XXX.XXX.XXX,
tcp/80043 expires at1332245168
fwknopd[19265]: Added OUTPUT Rule to FWKNOP_OUTPUT for
XXX.XXX.XXX.XXX, tcp/80043 expires at1332245168
For port 80044:
fwknopd[2504]: (stanza #1) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[2504]: (stanza #1) Error creating fko context: Decryption
failed or decrypted data is invalid
fwknopd[2504]: (stanza #2) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[2504]: Added FORWARD Rule to FWKNOP_FORWARD for
XXX.XXX.XXX.XXX, tcp/80044 expires at1332216742
fwknopd[2504]: Added DNAT Rule to FWKNOP_PREROUTING for
XXX.XXX.XXX.XXX, tcp/80044 expires at1332216742
For port 80045:
fwknopd[19265]: (stanza #1) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[19265]: (stanza #1) Error creating fko context: Decryption
failed or decrypted data is invalid
fwknopd[19265]: (stanza #2) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[19265]: (stanza #2) Error creating fko context: Decryption
failed or decrypted data is invalid
fwknopd[19265]: (stanza #3) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[19265]: Added FORWARD Rule to FWKNOP_FORWARD for
XXX.XXX.XXX.XXX, tcp/80045 expires at1332244853
fwknopd[19265]: Added DNAT Rule to FWKNOP_PREROUTING for
XXX.XXX.XXX.XXX, tcp/80045 expires at1332244853
resulting iptables created
Chain FWKNOP_FORWARD (1 references)
target prot opt source destination
ACCEPT tcp -- XXX.XXX.XXX.XXX 192.168.3.2
tcp dpt:22 /* _exp_1332244853 */
ACCEPT tcp -- XXX.XXX.XXX.XXX 192.168.2.2
tcp dpt:22 /* _exp_1332244986 */
Chain FWKNOP_INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- XXX.XXX.XXX.XXX 0.0.0.0/0 tcp
dpt:80043 /* _exp_1332245168 */
Chain FWKNOP_OUTPUT (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 XXX.XXX.XXX.XXX tcp
spt:80043 /* _exp_1332245168 */
And NAT table:
Chain FWKNOP_PREROUTING (1 references)
target prot opt source destination
DNAT tcp -- XXX.XXX.XXX.XXX 0.0.0.0/0 tcp
dpt:80045 /* _exp_1332244853 */ to:192.168.3.2:22
DNAT tcp -- XXX.XXX.XXX.XXX 0.0.0.0/0 tcp
dpt:80044 /* _exp_1332244986 */ to:192.168.2.2:80044
notes
Need to lockdown the firewall more immediately - probably doing
some more blocking and using the SNAT options
Now that we're natted ssh locks up a bit - to fix it add the
following
$ cat .ssh/config
Host *
ServerAliveInterval 240
FORCE_NAT mode: For iptables firewalls, a new FORCE_NAT mode has
been implemented that works as follows: for any valid SPA packet,
force the requested connection to be NAT'd through to the specified
(usually internal) IP and port value.
This is useful if there are multiple internal systems running a
service such as SSHD, and you want to give transparent access to
only one internal system for each stanza in the access.conf file.
This way, multiple external users can each directly access only one
internal system per SPA key.
conclusions
It seemed a powerdown of the entire environment last night was all
it took to get this going
The only two things I would like to do is re-write the above
documentation and pass it on to the fwknop devs for an example
installation.
Also try to contribute somehow in the development direction of the
FORCE_NAT stanza. Development of the stanza could contain Source
port we could add multiple FORCE_NAT statements to each ACCESS.CONF
stanza's and thus only require one username/key for each user
rather than three. If the FORCE_NAT could be able to accept in and
out interfaces we might also be able to segment better - i think :)
On 19/03/2012, at 9:15, Poignant Murf <[email protected]> wrote:
> 1st and most importantly thankyou for fwknop it's ~£{?|£|\ awesome
>
> 2nd confirming that only one FORCE_NAT option allowed for each access.conf
> stanza - and since most of my networks are NAT possibility of changing the
> setup in the future to 'FORCE_NAT <source port> <NAT ip address> <NAT port>'
> which would allow multiple NAT statements for stanza
>
> 3rd is just a query - has anyone had any success with using a version 1.9
> fwknop client knocking into a version 2 server - keeping defaults on both
> ATM and key file accross 1.9 and 2 client so password not my issue - figure I
> need to change something in the .fwknoprc file on the client - error is
> 'error creating fko context: decryption failed or decryption data is invalid'
> as i still support clients and servers running the version 1.9 would be handy
>
> Thankyou all very much
>
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
