On 02/18/2013 11:42 AM, Michael Swanson wrote: > Hello all, > > I'm trying to set up fwknop from the Debian stable repo on a Linode Xen > VPS server and having some trouble. I'm able to install and set > everything up the way I want it, however, after configuring the firewall > to block all port 22 traffic in accordance with the cipherdyne tutorial > and starting fwknopd, it appears that iptables is blocking the actual > authentication packet. I'm pretty naive when it comes to iptables, so > I'm probably missing something in my configuration.
One thing I forgot to mention explicitly, since I'm using packages from the Debian repos, I'm using version 1.9.12-2 on the server, which is what's in stable, and I'm using version 2.0.0rc2 from testing on my client. Not sure if the different versions might be causing a problem. > > Here's an example of what iptables logs when I try to open the ssh port: > iptables blocked: IN=eth0 OUT= > MAC=f2:3c:91:70:18:58:c8:4c:75:f5:c4:ff:08:00 SRC=74.87.211.230 > DST=198.58.106.81 LEN=210 TOS=0x00 PREC=0x40 TTL=48 ID=11814 DF > PROTO=UDP SPT=32849 DPT=62201 LEN=190 > > My iptables configuration looks like this: > > *filter > > # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that > doesn't use lo0 > -A INPUT -i lo -j ACCEPT > -A INPUT -d 127.0.0.0/8 -j REJECT > > # Accept all established inbound connections > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # Allow all outbound traffic - you can modify this to only allow > certain traffic > -A OUTPUT -j ACCEPT > > #Default drop rules for fwknop-server, allow established connections > #-A INPUT -i eth0 -p tcp --dport 22 -j DROP > #-A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate > ESTABLISHED,RELATED -j ACCEPT > #-A INPUT -i etho -p udp --dport 62201 -j ACCEPT > > # Allow HTTP and HTTPS connections from anywhere (the normal ports for > websites and SSL). > -A INPUT -p tcp --dport 80 -j ACCEPT > #-A INPUT -p tcp --dport 443 -j ACCEPT > > # Allow SSH connections > # > # The -dport number should be the same port number you set in sshd_config > # > -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT > > # Allow ping > -A INPUT -p icmp -j ACCEPT > > # Log iptables denied calls > -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables blocked: " > --log-level 7 > > # Drop all other inbound - default deny unless explicitly allowed policy > -A INPUT -j DROP > -A FORWARD -j DROP > > Right now I have the fwknop rules commented out, but you can also see my > attempt to let iptables pass any incoming udp traffic on port 62201, but > even with that rule, iptables continued to block the knock packet. > > Any help will be greatly appreciated it. Thanks. > > Mike Swanson > > ------------------------------------------------------------------------------ > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > is your hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials, tech docs, > whitepapers, evaluation guides, and opinion stories. Check out the most > recent posts - join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials, tech docs, whitepapers, evaluation guides, and opinion stories. Check out the most recent posts - join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
