On Mar 16, 2013, Karthik Ganesan wrote: > Hello Michael,
Hello Karthik, > Thank you very much for your reply. > > I have created a patch for --nat-rand-port... > > The way I read the man page (and how I want to use it) is for fwknop > client to generate a random port number for which it would request > access from the server. The client would use --nat-port to request the > mapping of this random port to a service on the other side of the > firewall. > > So, for example, > > fwknop --nat-local --nat-rand-port --nat-port 22 -a 1.1.1.1 -D 2.2.2.2 > > would generate the following SPA packet: > FKO Field Values: > ================= > ..................... > Message Type: 5 > Message String: 1.1.1.1,tcp/37126 > Nat Access: 2.2.2.2,22 > ..................... > > where the client has generated a random port (37126) and asked for it to > be mapped to port 22 on the server, allowing the following access via > ssh: > > ssh -p 37126 2.2.2.2 Thanks for sending over the patch - as it turns out, I spent some time working on this problem earlier today, and I believe I've solved it (along with adding a bunch of new tests to verify this in the test suite). I'm currently merging in another set of patches before I push out the changes to github. In your command line above, it is supported similarly (in my changes to be pushed) with: $ fwknop -A tcp/22 --nat-local --nat-rand-port -a 1.1.1.1 -D 2.2.2.2 The convention I was following is that --nat-rand-port and --nat-port are port numbers that are to be translated into other ports that are requested via either '-A' or '-N <IP:port>' criteria (the later used for accessing systems through the fwknopd system via the FORWARD chain, etc. - i.e. --nat-local is not used in this case). If this is not intuitive though, then maybe I should also merge your idea of using --nat-rand-port and --nat-port simultaneously. Once my changes are pushed can you take a look and let me know what you think? I should be able to merge in your REDIRECT patch soon. --Mike > > Thanks, > -karthik > > > On Tue, 2013-03-12 at 23:58 -0400, Michael Rash wrote: > > On Mar 12, 2013, Karthik Ganesan wrote: > > > > > Hi, > > > > Hello Karthik, > > > > > I have the following setup: > > > > > > spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured > > > with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server > > > > > > I wanted to have fwknopd open up a port on the spa_server and redirect it > > > to the local ssh daemon listening on port 22. > > > > > > nat-local seemed to be what I wanted: > > > > > > fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D > > > 1.1.1.1 -v > > > > > > should open up port 4444 and forward it to port 22. > > > > > > But the DNAT rule to rewrite the destination address uses the server's > > > public IP 1.1.1.1 which is not available on any of the server's > > > interfaces! > > > I also figured out that I could not use --nat-access as the server does > > > not setup a rule in the INPUT chain in this case. > > > > If I understand correctly, I think the SNAT config vars (ENABLE_IPT_SNAT and > > SNAT_TRANSLATE_IP) in the fwknopd.conf file might help with this. But, this > > functionality is a bit of a kludge, and should really be put into the > > access.conf file. Your idea of using the REDIRECT target is a good one... > > > > > I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local > > > is used. > > > > > > I have provided the patch against version 2.0.4 below. > > > This works for me... > > > > Thanks for providing the patch, and I'll look at getting this into > > fwknop-2.5, but it might go into 2.6 (not sure yet). I've opened issue > > #47 in github to track this with a milestone of fwknop-2.5 for now: > > > > https://github.com/mrash/fwknop/issues/47 > > > > > But, being a fwknop newbie, I would appreciate it if I could get it > > > blessed... ;-)! > > > > > > I also had a couple of questions: > > > 1. How does --nat-rand-port work with --nat-local? > > > > It looks like I may need to fix this functionality - fwknopd should take > > the randomly assigned port value that is encrypted within the SPA packet > > and NAT incoming connections to this port into the local service. So, > > if the client sets port "39921" to be locally NAT'd to port 22, then > > fwknopd should build rules accordingly. The test suite doesn't > > currently test this, and I'll get this fixed. > > > > > 2. What options should I use to ./configure for the default > > > access/config file locations? > > > > For the ./configure args, I usually use: > > > > $ ./configure --prefix=/usr --sysconfdir=/etc > > > > Then the access.conf and fwknopd.conf files go in /etc/fwknop/ which is > > probably the best default location. > > > > --Mike > > > > > > > Thanks, > > > -karthik > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 > > > 15:55:59.000000000 -0500 > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 > > > 08:14:38.618453300 -0400 > > > @@ -882,19 +882,34 @@ > > > add_jump_rule(opts, IPT_DNAT_ACCESS); > > > > > > zero_cmd_buffers(); > > > - > > > - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " > > > IPT_ADD_DNAT_RULE_ARGS, > > > - opts->fw_config->fw_command, > > > - dnat_chain->table, > > > - dnat_chain->to_chain, > > > - fst_proto, > > > - spadat->use_src_ip, > > > - fst_port, > > > - exp_ts, > > > - dnat_chain->target, > > > - nat_ip, > > > - nat_port > > > - ); > > > + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG) > > > + { > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " > > > IPT_ADD_REDIRECT_RULE_ARGS, > > > + opts->fw_config->fw_command, > > > + dnat_chain->table, > > > + dnat_chain->to_chain, > > > + fst_proto, > > > + spadat->use_src_ip, > > > + fst_port, > > > + exp_ts, > > > + nat_port > > > + ); > > > + } > > > + else > > > + { > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " > > > IPT_ADD_DNAT_RULE_ARGS, > > > + opts->fw_config->fw_command, > > > + dnat_chain->table, > > > + dnat_chain->to_chain, > > > + fst_proto, > > > + spadat->use_src_ip, > > > + fst_port, > > > + exp_ts, > > > + dnat_chain->target, > > > + nat_ip, > > > + nat_port > > > + ); > > > + } > > > > > > res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0); > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 > > > 15:55:59.000000000 -0500 > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 > > > 08:10:36.242318088 -0400 > > > @@ -39,6 +39,7 @@ > > > #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m > > > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i > > > -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m > > > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination > > > %s:%i 2>&1" > > > +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i > > > -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports > > > %i 2>&1" > > > #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m > > > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" > > > #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment > > > --comment " TMP_COMMENT " -j %s 2>&1" > > > #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" > > > > > ------------------------------------------------------------------------------ > > > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > > > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > > > endpoint security space. For insight on selecting the right partner to > > > tackle endpoint security challenges, access the full report. > > > http://p.sf.net/sfu/symantec-dev2dev > > > > > _______________________________________________ > > > Fwknop-discuss mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics > > Download AppDynamics Lite for free today: > > http://p.sf.net/sfu/appdyn_d2d_mar > > _______________________________________________ > > Fwknop-discuss mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > --- fwknop-2.0.4/client/fwknop.c 2012-12-09 15:55:59.000000000 -0500 > +++ fwknop-2.0.4-patched/client/fwknop.c 2013-03-15 21:24:44.853864258 > -0400 > @@ -172,8 +172,16 @@ > } > else > { > - snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > - options.allow_ip_str, ",", "none/0"); > + if(options.nat_rand_port) > + { > + snprintf(access_buf, MAX_LINE_LEN, "%s%stcp/%d", > + options.allow_ip_str, ",", get_rand_port(ctx)); > + } > + else > + { > + snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > + options.allow_ip_str, ",", "none/0"); > + } > } > } > res = fko_set_spa_message(ctx, access_buf); > @@ -492,9 +500,9 @@ > char nat_access_buf[MAX_LINE_LEN] = ""; > int nat_port = 0; > > - if (options->nat_rand_port) > + /*if (options->nat_rand_port) > nat_port = get_rand_port(ctx); > - else if (options->nat_port) > + else */if (options->nat_port) > nat_port = options->nat_port; > else > nat_port = DEFAULT_NAT_PORT; ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
