Hello all, I'm trying to set up fwknop from the Debian stable repo on a Linode Xen VPS server and having some trouble. I'm able to install and set everything up the way I want it, however, after configuring the firewall to block all port 22 traffic in accordance with the cipherdyne tutorial and starting fwknopd, it appears that iptables is blocking the actual authentication packet. I'm pretty naive when it comes to iptables, so I'm probably missing something in my configuration.
Here's an example of what iptables logs when I try to open the ssh port: iptables blocked: IN=eth0 OUT= MAC=f2:3c:91:70:18:58:c8:4c:75:f5:c4:ff:08:00 SRC=74.87.211.230 DST=198.58.106.81 LEN=210 TOS=0x00 PREC=0x40 TTL=48 ID=11814 DF PROTO=UDP SPT=32849 DPT=62201 LEN=190 My iptables configuration looks like this: *filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT #Default drop rules for fwknop-server, allow established connections #-A INPUT -i eth0 -p tcp --dport 22 -j DROP #-A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #-A INPUT -i etho -p udp --dport 62201 -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT #-A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables blocked: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP Right now I have the fwknop rules commented out, but you can also see my attempt to let iptables pass any incoming udp traffic on port 62201, but even with that rule, iptables continued to block the knock packet. Any help will be greatly appreciated it. Thanks. Mike Swanson ------------------------------------------------------------------------------ The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials, tech docs, whitepapers, evaluation guides, and opinion stories. Check out the most recent posts - join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
