Hello Michael,
Thank you very much for your reply.
I have created a patch for --nat-rand-port...
The way I read the man page (and how I want to use it) is for fwknop
client to generate a random port number for which it would request
access from the server. The client would use --nat-port to request the
mapping of this random port to a service on the other side of the
firewall.
So, for example,
fwknop --nat-local --nat-rand-port --nat-port 22 -a 1.1.1.1 -D 2.2.2.2
would generate the following SPA packet:
FKO Field Values:
=================
.....................
Message Type: 5
Message String: 1.1.1.1,tcp/37126
Nat Access: 2.2.2.2,22
.....................
where the client has generated a random port (37126) and asked for it to
be mapped to port 22 on the server, allowing the following access via
ssh:
ssh -p 37126 2.2.2.2
Thanks,
-karthik
On Tue, 2013-03-12 at 23:58 -0400, Michael Rash wrote:
> On Mar 12, 2013, Karthik Ganesan wrote:
>
> > Hi,
>
> Hello Karthik,
>
> > I have the following setup:
> >
> > spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured
> > with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server
> >
> > I wanted to have fwknopd open up a port on the spa_server and redirect it
> > to the local ssh daemon listening on port 22.
> >
> > nat-local seemed to be what I wanted:
> >
> > fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D
> > 1.1.1.1 -v
> >
> > should open up port 4444 and forward it to port 22.
> >
> > But the DNAT rule to rewrite the destination address uses the server's
> > public IP 1.1.1.1 which is not available on any of the server's interfaces!
> > I also figured out that I could not use --nat-access as the server does not
> > setup a rule in the INPUT chain in this case.
>
> If I understand correctly, I think the SNAT config vars (ENABLE_IPT_SNAT and
> SNAT_TRANSLATE_IP) in the fwknopd.conf file might help with this. But, this
> functionality is a bit of a kludge, and should really be put into the
> access.conf file. Your idea of using the REDIRECT target is a good one...
>
> > I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local
> > is used.
> >
> > I have provided the patch against version 2.0.4 below.
> > This works for me...
>
> Thanks for providing the patch, and I'll look at getting this into
> fwknop-2.5, but it might go into 2.6 (not sure yet). I've opened issue
> #47 in github to track this with a milestone of fwknop-2.5 for now:
>
> https://github.com/mrash/fwknop/issues/47
>
> > But, being a fwknop newbie, I would appreciate it if I could get it
> > blessed... ;-)!
> >
> > I also had a couple of questions:
> > 1. How does --nat-rand-port work with --nat-local?
>
> It looks like I may need to fix this functionality - fwknopd should take
> the randomly assigned port value that is encrypted within the SPA packet
> and NAT incoming connections to this port into the local service. So,
> if the client sets port "39921" to be locally NAT'd to port 22, then
> fwknopd should build rules accordingly. The test suite doesn't
> currently test this, and I'll get this fixed.
>
> > 2. What options should I use to ./configure for the default access/config
> > file locations?
>
> For the ./configure args, I usually use:
>
> $ ./configure --prefix=/usr --sysconfdir=/etc
>
> Then the access.conf and fwknopd.conf files go in /etc/fwknop/ which is
> probably the best default location.
>
> --Mike
>
>
> > Thanks,
> > -karthik
> >
> >
> > --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 15:55:59.000000000
> > -0500
> > +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12
> > 08:14:38.618453300 -0400
> > @@ -882,19 +882,34 @@
> > add_jump_rule(opts, IPT_DNAT_ACCESS);
> >
> > zero_cmd_buffers();
> > -
> > - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS,
> > - opts->fw_config->fw_command,
> > - dnat_chain->table,
> > - dnat_chain->to_chain,
> > - fst_proto,
> > - spadat->use_src_ip,
> > - fst_port,
> > - exp_ts,
> > - dnat_chain->target,
> > - nat_ip,
> > - nat_port
> > - );
> > + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG)
> > + {
> > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s "
> > IPT_ADD_REDIRECT_RULE_ARGS,
> > + opts->fw_config->fw_command,
> > + dnat_chain->table,
> > + dnat_chain->to_chain,
> > + fst_proto,
> > + spadat->use_src_ip,
> > + fst_port,
> > + exp_ts,
> > + nat_port
> > + );
> > + }
> > + else
> > + {
> > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s "
> > IPT_ADD_DNAT_RULE_ARGS,
> > + opts->fw_config->fw_command,
> > + dnat_chain->table,
> > + dnat_chain->to_chain,
> > + fst_proto,
> > + spadat->use_src_ip,
> > + fst_port,
> > + exp_ts,
> > + dnat_chain->target,
> > + nat_ip,
> > + nat_port
> > + );
> > + }
> >
> > res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
> >
> >
> >
> > --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 15:55:59.000000000
> > -0500
> > +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12
> > 08:10:36.242318088 -0400
> > @@ -39,6 +39,7 @@
> > #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m
> > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
> > #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i
> > -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
> > #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m
> > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i
> > 2>&1"
> > +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m
> > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports %i
> > 2>&1"
> > #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m
> > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
> > #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment
> > --comment " TMP_COMMENT " -j %s 2>&1"
> > #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1"
>
> > ------------------------------------------------------------------------------
> > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> > endpoint security space. For insight on selecting the right partner to
> > tackle endpoint security challenges, access the full report.
> > http://p.sf.net/sfu/symantec-dev2dev
>
> > _______________________________________________
> > Fwknop-discuss mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
--- fwknop-2.0.4/client/fwknop.c 2012-12-09 15:55:59.000000000 -0500
+++ fwknop-2.0.4-patched/client/fwknop.c 2013-03-15 21:24:44.853864258 -0400
@@ -172,8 +172,16 @@
}
else
{
- snprintf(access_buf, MAX_LINE_LEN, "%s%s%s",
- options.allow_ip_str, ",", "none/0");
+ if(options.nat_rand_port)
+ {
+ snprintf(access_buf, MAX_LINE_LEN, "%s%stcp/%d",
+ options.allow_ip_str, ",", get_rand_port(ctx));
+ }
+ else
+ {
+ snprintf(access_buf, MAX_LINE_LEN, "%s%s%s",
+ options.allow_ip_str, ",", "none/0");
+ }
}
}
res = fko_set_spa_message(ctx, access_buf);
@@ -492,9 +500,9 @@
char nat_access_buf[MAX_LINE_LEN] = "";
int nat_port = 0;
- if (options->nat_rand_port)
+ /*if (options->nat_rand_port)
nat_port = get_rand_port(ctx);
- else if (options->nat_port)
+ else */if (options->nat_port)
nat_port = options->nat_port;
else
nat_port = DEFAULT_NAT_PORT;
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
