On Sat, 2013-03-16 at 22:20 -0400, Michael Rash wrote: > On Mar 16, 2013, Karthik Ganesan wrote: > > > Hello Michael, > > Hello Karthik, > > > Thank you very much for your reply. > > > > I have created a patch for --nat-rand-port... > > > > The way I read the man page (and how I want to use it) is for fwknop > > client to generate a random port number for which it would request > > access from the server. The client would use --nat-port to request the > > mapping of this random port to a service on the other side of the > > firewall. > > > > So, for example, > > > > fwknop --nat-local --nat-rand-port --nat-port 22 -a 1.1.1.1 -D 2.2.2.2 > > > > would generate the following SPA packet: > > FKO Field Values: > > ================= > > ..................... > > Message Type: 5 > > Message String: 1.1.1.1,tcp/37126 > > Nat Access: 2.2.2.2,22 > > ..................... > > > > where the client has generated a random port (37126) and asked for it to > > be mapped to port 22 on the server, allowing the following access via > > ssh: > > > > ssh -p 37126 2.2.2.2 > > Thanks for sending over the patch - as it turns out, I spent some time > working on this problem earlier today, and I believe I've solved it > (along with adding a bunch of new tests to verify this in the test suite). > I'm currently merging in another set of patches before I push out the > changes to github. >
Awesome! > In your command line above, it is supported similarly (in my changes to be > pushed) with: > > $ fwknop -A tcp/22 --nat-local --nat-rand-port -a 1.1.1.1 -D 2.2.2.2 > > The convention I was following is that --nat-rand-port and --nat-port > are port numbers that are to be translated into other ports that are > requested via either '-A' or '-N <IP:port>' criteria (the later used for > accessing systems through the fwknopd system via the FORWARD chain, > etc. - i.e. --nat-local is not used in this case). If this is not > intuitive though, then maybe I should also merge your idea of using > --nat-rand-port and --nat-port simultaneously. Once my changes are > pushed can you take a look and let me know what you think? > I think I get it... To confirm, when we are NOT requesting nat redirection (i.e. FKO_ACCESS_MSG), the server will interpret the access message field as a port that has to be opened (i.e. INPUT rule will be added for connection to this port) When, we are requesting nat redirection (either nat-local or nat-access/ FKO_NAT_ACCESS_MSG or FKO_LOCAL_NAT_ACCESS_MSG), then the access message field is actually what the port will be rewritten to in the PREROUTE? I would love to help in any way I can. I must admit that I still don't have my mind completely wrapped around the path of a packet through net-filter! But, I can certainly serve as an extra pair of eyes if that is useful. > I should be able to merge in your REDIRECT patch soon. > Thanks -karthik > --Mike > > > > > > Thanks, > > -karthik > > > > > > On Tue, 2013-03-12 at 23:58 -0400, Michael Rash wrote: > > > On Mar 12, 2013, Karthik Ganesan wrote: > > > > > > > Hi, > > > > > > Hello Karthik, > > > > > > > I have the following setup: > > > > > > > > spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured > > > > with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server > > > > > > > > I wanted to have fwknopd open up a port on the spa_server and redirect > > > > it to the local ssh daemon listening on port 22. > > > > > > > > nat-local seemed to be what I wanted: > > > > > > > > fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D > > > > 1.1.1.1 -v > > > > > > > > should open up port 4444 and forward it to port 22. > > > > > > > > But the DNAT rule to rewrite the destination address uses the server's > > > > public IP 1.1.1.1 which is not available on any of the server's > > > > interfaces! > > > > I also figured out that I could not use --nat-access as the server does > > > > not setup a rule in the INPUT chain in this case. > > > > > > If I understand correctly, I think the SNAT config vars (ENABLE_IPT_SNAT > > > and > > > SNAT_TRANSLATE_IP) in the fwknopd.conf file might help with this. But, > > > this > > > functionality is a bit of a kludge, and should really be put into the > > > access.conf file. Your idea of using the REDIRECT target is a good one... > > > > > > > I patched the code to use -j REDIRECT instead of -j DNAT when > > > > --nat-local is used. > > > > > > > > I have provided the patch against version 2.0.4 below. > > > > This works for me... > > > > > > Thanks for providing the patch, and I'll look at getting this into > > > fwknop-2.5, but it might go into 2.6 (not sure yet). I've opened issue > > > #47 in github to track this with a milestone of fwknop-2.5 for now: > > > > > > https://github.com/mrash/fwknop/issues/47 > > > > > > > But, being a fwknop newbie, I would appreciate it if I could get it > > > > blessed... ;-)! > > > > > > > > I also had a couple of questions: > > > > 1. How does --nat-rand-port work with --nat-local? > > > > > > It looks like I may need to fix this functionality - fwknopd should take > > > the randomly assigned port value that is encrypted within the SPA packet > > > and NAT incoming connections to this port into the local service. So, > > > if the client sets port "39921" to be locally NAT'd to port 22, then > > > fwknopd should build rules accordingly. The test suite doesn't > > > currently test this, and I'll get this fixed. > > > > > > > 2. What options should I use to ./configure for the default > > > > access/config file locations? > > > > > > For the ./configure args, I usually use: > > > > > > $ ./configure --prefix=/usr --sysconfdir=/etc > > > > > > Then the access.conf and fwknopd.conf files go in /etc/fwknop/ which is > > > probably the best default location. > > > > > > --Mike > > > > > > > > > > Thanks, > > > > -karthik > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 > > > > 15:55:59.000000000 -0500 > > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 > > > > 08:14:38.618453300 -0400 > > > > @@ -882,19 +882,34 @@ > > > > add_jump_rule(opts, IPT_DNAT_ACCESS); > > > > > > > > zero_cmd_buffers(); > > > > - > > > > - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " > > > > IPT_ADD_DNAT_RULE_ARGS, > > > > - opts->fw_config->fw_command, > > > > - dnat_chain->table, > > > > - dnat_chain->to_chain, > > > > - fst_proto, > > > > - spadat->use_src_ip, > > > > - fst_port, > > > > - exp_ts, > > > > - dnat_chain->target, > > > > - nat_ip, > > > > - nat_port > > > > - ); > > > > + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG) > > > > + { > > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " > > > > IPT_ADD_REDIRECT_RULE_ARGS, > > > > + opts->fw_config->fw_command, > > > > + dnat_chain->table, > > > > + dnat_chain->to_chain, > > > > + fst_proto, > > > > + spadat->use_src_ip, > > > > + fst_port, > > > > + exp_ts, > > > > + nat_port > > > > + ); > > > > + } > > > > + else > > > > + { > > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " > > > > IPT_ADD_DNAT_RULE_ARGS, > > > > + opts->fw_config->fw_command, > > > > + dnat_chain->table, > > > > + dnat_chain->to_chain, > > > > + fst_proto, > > > > + spadat->use_src_ip, > > > > + fst_port, > > > > + exp_ts, > > > > + dnat_chain->target, > > > > + nat_ip, > > > > + nat_port > > > > + ); > > > > + } > > > > > > > > res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0); > > > > > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 > > > > 15:55:59.000000000 -0500 > > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 > > > > 08:10:36.242318088 -0400 > > > > @@ -39,6 +39,7 @@ > > > > #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m > > > > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > > #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport > > > > %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > > #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m > > > > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination > > > > %s:%i 2>&1" > > > > +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport > > > > %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT > > > > --to-ports %i 2>&1" > > > > #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m > > > > comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" > > > > #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment > > > > --comment " TMP_COMMENT " -j %s 2>&1" > > > > #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" > > > > > > > ------------------------------------------------------------------------------ > > > > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > > > > > > > > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > > > > > > > > endpoint security space. For insight on selecting the right partner to > > > > tackle endpoint security challenges, access the full report. > > > > http://p.sf.net/sfu/symantec-dev2dev > > > > > > > _______________________________________________ > > > > Fwknop-discuss mailing list > > > > [email protected] > > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > > > > ------------------------------------------------------------------------------ > > > Everyone hates slow websites. So do we. > > > Make your web apps faster with AppDynamics > > > Download AppDynamics Lite for free today: > > > http://p.sf.net/sfu/appdyn_d2d_mar > > > _______________________________________________ > > > Fwknop-discuss mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > --- fwknop-2.0.4/client/fwknop.c 2012-12-09 15:55:59.000000000 -0500 > > +++ fwknop-2.0.4-patched/client/fwknop.c 2013-03-15 21:24:44.853864258 > > -0400 > > @@ -172,8 +172,16 @@ > > } > > else > > { > > - snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > > - options.allow_ip_str, ",", "none/0"); > > + if(options.nat_rand_port) > > + { > > + snprintf(access_buf, MAX_LINE_LEN, "%s%stcp/%d", > > + options.allow_ip_str, ",", get_rand_port(ctx)); > > + } > > + else > > + { > > + snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > > + options.allow_ip_str, ",", "none/0"); > > + } > > } > > } > > res = fko_set_spa_message(ctx, access_buf); > > @@ -492,9 +500,9 @@ > > char nat_access_buf[MAX_LINE_LEN] = ""; > > int nat_port = 0; > > > > - if (options->nat_rand_port) > > + /*if (options->nat_rand_port) > > nat_port = get_rand_port(ctx); > > - else if (options->nat_port) > > + else */if (options->nat_port) > > nat_port = options->nat_port; > > else > > nat_port = DEFAULT_NAT_PORT; > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
