Hi,
I have the following setup:
spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured with
spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server
I wanted to have fwknopd open up a port on the spa_server and redirect it to
the local ssh daemon listening on port 22.
nat-local seemed to be what I wanted:
fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D 1.1.1.1 -v
should open up port 4444 and forward it to port 22.
But the DNAT rule to rewrite the destination address uses the server's public
IP 1.1.1.1 which is not available on any of the server's interfaces!
I also figured out that I could not use --nat-access as the server does not
setup a rule in the INPUT chain in this case.
I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local is
used.
I have provided the patch against version 2.0.4 below.
This works for me...
But, being a fwknop newbie, I would appreciate it if I could get it blessed...
;-)!
I also had a couple of questions:
1. How does --nat-rand-port work with --nat-local?
2. What options should I use to ./configure for the default access/config
file locations?
Thanks,
-karthik
--- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 15:55:59.000000000
-0500
+++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12
08:14:38.618453300 -0400
@@ -882,19 +882,34 @@
add_jump_rule(opts, IPT_DNAT_ACCESS);
zero_cmd_buffers();
-
- snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS,
- opts->fw_config->fw_command,
- dnat_chain->table,
- dnat_chain->to_chain,
- fst_proto,
- spadat->use_src_ip,
- fst_port,
- exp_ts,
- dnat_chain->target,
- nat_ip,
- nat_port
- );
+ if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG)
+ {
+ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s "
IPT_ADD_REDIRECT_RULE_ARGS,
+ opts->fw_config->fw_command,
+ dnat_chain->table,
+ dnat_chain->to_chain,
+ fst_proto,
+ spadat->use_src_ip,
+ fst_port,
+ exp_ts,
+ nat_port
+ );
+ }
+ else
+ {
+ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS,
+ opts->fw_config->fw_command,
+ dnat_chain->table,
+ dnat_chain->to_chain,
+ fst_proto,
+ spadat->use_src_ip,
+ fst_port,
+ exp_ts,
+ dnat_chain->target,
+ nat_ip,
+ nat_port
+ );
+ }
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
--- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 15:55:59.000000000
-0500
+++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12
08:10:36.242318088 -0400
@@ -39,6 +39,7 @@
#define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment
--comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m
comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment
--comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
+#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m
comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports %i 2>&1"
#define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment
--comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
#define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment
--comment " TMP_COMMENT " -j %s 2>&1"
#define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1"------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
