On Feb 18, 2013, Michael Swanson wrote: > On 02/18/2013 11:42 AM, Michael Swanson wrote: > > Hello all, > > > > I'm trying to set up fwknop from the Debian stable repo on a Linode Xen > > VPS server and having some trouble. I'm able to install and set > > everything up the way I want it, however, after configuring the firewall > > to block all port 22 traffic in accordance with the cipherdyne tutorial > > and starting fwknopd, it appears that iptables is blocking the actual > > authentication packet. I'm pretty naive when it comes to iptables, so > > I'm probably missing something in my configuration. > > One thing I forgot to mention explicitly, since I'm using packages from > the Debian repos, I'm using version 1.9.12-2 on the server, which is > what's in stable, and I'm using version 2.0.0rc2 from testing on my > client. Not sure if the different versions might be causing a problem.
It's possible that the mismatch between the client and server is causing the problem since the perl code isn't maintained anymore. And, due to more rigorous usage of crypto in the C code that is going to be released in fwknop-2.5 in a few weeks, I would recommend switching to the C version too. For the fwknopd perl daemon, the --debug switch should help to see what is going on: # fwknopd -i eth0 --debug Hopefully you will see how far an incoming SPA packet is able to progress within fwknopd, and this may provide a hint for what is happening. Are you running NTP? If not, and the clocks are significantly out of sync between the client and server, then you may want to temporarily set ENABLE_SPA_PACKET_AGING to 'N' on the server and see if this makes a difference. I wouldn't leave that disabled though due to the possibility of opening yourself up to a MITM attack - having decent time sync is a good idea. Thanks, --Mike > > Here's an example of what iptables logs when I try to open the ssh port: > > iptables blocked: IN=eth0 OUT= > > MAC=f2:3c:91:70:18:58:c8:4c:75:f5:c4:ff:08:00 SRC=74.87.211.230 > > DST=198.58.106.81 LEN=210 TOS=0x00 PREC=0x40 TTL=48 ID=11814 DF > > PROTO=UDP SPT=32849 DPT=62201 LEN=190 > > > > My iptables configuration looks like this: > > > > *filter > > > > # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that > > doesn't use lo0 > > -A INPUT -i lo -j ACCEPT > > -A INPUT -d 127.0.0.0/8 -j REJECT > > > > # Accept all established inbound connections > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # Allow all outbound traffic - you can modify this to only allow > > certain traffic > > -A OUTPUT -j ACCEPT > > > > #Default drop rules for fwknop-server, allow established connections > > #-A INPUT -i eth0 -p tcp --dport 22 -j DROP > > #-A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate > > ESTABLISHED,RELATED -j ACCEPT > > #-A INPUT -i etho -p udp --dport 62201 -j ACCEPT > > > > # Allow HTTP and HTTPS connections from anywhere (the normal ports for > > websites and SSL). > > -A INPUT -p tcp --dport 80 -j ACCEPT > > #-A INPUT -p tcp --dport 443 -j ACCEPT > > > > # Allow SSH connections > > # > > # The -dport number should be the same port number you set in sshd_config > > # > > -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT > > > > # Allow ping > > -A INPUT -p icmp -j ACCEPT > > > > # Log iptables denied calls > > -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables blocked: " > > --log-level 7 > > > > # Drop all other inbound - default deny unless explicitly allowed policy > > -A INPUT -j DROP > > -A FORWARD -j DROP > > > > Right now I have the fwknop rules commented out, but you can also see my > > attempt to let iptables pass any incoming udp traffic on port 62201, but > > even with that rule, iptables continued to block the knock packet. > > > > Any help will be greatly appreciated it. Thanks. > > > > Mike Swanson > > > > ------------------------------------------------------------------------------ > > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > > is your hub for all things parallel software development, from weekly > > thought > > leadership blogs to news, videos, case studies, tutorials, tech docs, > > whitepapers, evaluation guides, and opinion stories. Check out the most > > recent posts - join the conversation now. http://goparallel.sourceforge.net/ > > _______________________________________________ > > Fwknop-discuss mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > ------------------------------------------------------------------------------ > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > is your hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials, tech docs, > whitepapers, evaluation guides, and opinion stories. Check out the most > recent posts - join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
