On Mar 17, 2013, Karthik Ganesan wrote: > On Sat, 2013-03-16 at 22:20 -0400, Michael Rash wrote: > > On Mar 16, 2013, Karthik Ganesan wrote: > > > > > Hello Michael, > > > > Hello Karthik, > > > > > Thank you very much for your reply. > > > > > > I have created a patch for --nat-rand-port... > > > > > > The way I read the man page (and how I want to use it) is for fwknop > > > client to generate a random port number for which it would request > > > access from the server. The client would use --nat-port to request the > > > mapping of this random port to a service on the other side of the > > > firewall. > > > > > > So, for example, > > > > > > fwknop --nat-local --nat-rand-port --nat-port 22 -a 1.1.1.1 -D 2.2.2.2 > > > > > > would generate the following SPA packet: > > > FKO Field Values: > > > ================= > > > ..................... > > > Message Type: 5 > > > Message String: 1.1.1.1,tcp/37126 > > > Nat Access: 2.2.2.2,22 > > > ..................... > > > > > > where the client has generated a random port (37126) and asked for it to > > > be mapped to port 22 on the server, allowing the following access via > > > ssh: > > > > > > ssh -p 37126 2.2.2.2 > > > > Thanks for sending over the patch - as it turns out, I spent some time > > working on this problem earlier today, and I believe I've solved it > > (along with adding a bunch of new tests to verify this in the test suite). > > I'm currently merging in another set of patches before I push out the > > changes to github. > > > > Awesome!
The changes to fix --nat-rand-port and --nat-port have been pushed to the hmac_support branch (where all recent work is going in support of the upcoming release to add authenticated encryption for SPA communications): https://github.com/mrash/fwknop/commit/4bdb71315a049e072f95e3426fe9c149ca763586 > > In your command line above, it is supported similarly (in my changes to be > > pushed) with: > > > > $ fwknop -A tcp/22 --nat-local --nat-rand-port -a 1.1.1.1 -D 2.2.2.2 > > > > The convention I was following is that --nat-rand-port and --nat-port > > are port numbers that are to be translated into other ports that are > > requested via either '-A' or '-N <IP:port>' criteria (the later used for > > accessing systems through the fwknopd system via the FORWARD chain, > > etc. - i.e. --nat-local is not used in this case). If this is not > > intuitive though, then maybe I should also merge your idea of using > > --nat-rand-port and --nat-port simultaneously. Once my changes are > > pushed can you take a look and let me know what you think? > > > > I think I get it... > To confirm, when we are NOT requesting nat redirection (i.e. > FKO_ACCESS_MSG), the server will interpret the access message field as a > port that has to be opened (i.e. INPUT rule will be added for connection > to this port) Correct. > When, we are requesting nat redirection (either nat-local or nat-access/ > FKO_NAT_ACCESS_MSG or FKO_LOCAL_NAT_ACCESS_MSG), then the access message > field is actually what the port will be rewritten to in the PREROUTE? Yes, that's right behind the scenes, but the user just knows that whatever service is being requests access to via -A is what they will be able to access. It just happens that adding NAT criteria allows access to this service via something else. Here is an illustration of what the fwknopd generates for --nat-rand-port access to sshd: FWKNOP_FORWARD chain: 1 ACCEPT tcp -- 127.0.0.2 192.168.1.2 tcp dpt:22 /* _exp_1363569786 */ FWKNOP_PREROUTING chain: 1 DNAT tcp -- 127.0.0.2 0.0.0.0/0 tcp dpt:45247 /* _exp_1363569786 */ to:192.168.1.2:22 So the user would be able to access sshd on 192.168.1.2 via port 45247 on whatever IP is running fwknopd. (These are rules created via the test suite.) There is also new output generate by the client to let the user know what the randomly assigned NAT port is - without this output the user has no way to know where to make the connection after the SPA packet is sent. This is generated regardless of whether --verbose mode is also used, and here is an example: $ fwknop -A tcp/22 --nat-local --nat-rand-port -a 1.1.1.1 -D 127.0.0.1 [+] Randomly assigned port '49220' on: '1.1.1.1,tcp/49220' will grant access to: '127.0.0.1,22' Enter encryption key: > I would love to help in any way I can. I must admit that I still don't > have my mind completely wrapped around the path of a packet through > net-filter! But, I can certainly serve as an extra pair of eyes if that > is useful. Addition eyes looking at the code is always great - I would recommend cloning the fwknop repository if you haven't already done this and checking out the hmac_support branch. Current issues are listed here, and more may be added prior to the next release: https://github.com/mrash/fwknop/issues?milestone=4&state=open Thanks, --Mike > > I should be able to merge in your REDIRECT patch soon. > > > > Thanks > -karthik > > > --Mike > > > > > > > > > > Thanks, > > > -karthik > > > > > > > > > On Tue, 2013-03-12 at 23:58 -0400, Michael Rash wrote: > > > > On Mar 12, 2013, Karthik Ganesan wrote: > > > > > > > > > Hi, > > > > > > > > Hello Karthik, > > > > > > > > > I have the following setup: > > > > > > > > > > spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router > > > > > (configured with spa_server as DMZ) [192.168.1.1] ------- > > > > > [192.168.1.2] spa_server > > > > > > > > > > I wanted to have fwknopd open up a port on the spa_server and > > > > > redirect it to the local ssh daemon listening on port 22. > > > > > > > > > > nat-local seemed to be what I wanted: > > > > > > > > > > fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D > > > > > 1.1.1.1 -v > > > > > > > > > > should open up port 4444 and forward it to port 22. > > > > > > > > > > But the DNAT rule to rewrite the destination address uses the > > > > > server's public IP 1.1.1.1 which is not available on any of the > > > > > server's interfaces! > > > > > I also figured out that I could not use --nat-access as the server > > > > > does not setup a rule in the INPUT chain in this case. > > > > > > > > If I understand correctly, I think the SNAT config vars > > > > (ENABLE_IPT_SNAT and > > > > SNAT_TRANSLATE_IP) in the fwknopd.conf file might help with this. But, > > > > this > > > > functionality is a bit of a kludge, and should really be put into the > > > > access.conf file. Your idea of using the REDIRECT target is a good > > > > one... > > > > > > > > > I patched the code to use -j REDIRECT instead of -j DNAT when > > > > > --nat-local is used. > > > > > > > > > > I have provided the patch against version 2.0.4 below. > > > > > This works for me... > > > > > > > > Thanks for providing the patch, and I'll look at getting this into > > > > fwknop-2.5, but it might go into 2.6 (not sure yet). I've opened issue > > > > #47 in github to track this with a milestone of fwknop-2.5 for now: > > > > > > > > https://github.com/mrash/fwknop/issues/47 > > > > > > > > > But, being a fwknop newbie, I would appreciate it if I could get it > > > > > blessed... ;-)! > > > > > > > > > > I also had a couple of questions: > > > > > 1. How does --nat-rand-port work with --nat-local? > > > > > > > > It looks like I may need to fix this functionality - fwknopd should take > > > > the randomly assigned port value that is encrypted within the SPA packet > > > > and NAT incoming connections to this port into the local service. So, > > > > if the client sets port "39921" to be locally NAT'd to port 22, then > > > > fwknopd should build rules accordingly. The test suite doesn't > > > > currently test this, and I'll get this fixed. > > > > > > > > > 2. What options should I use to ./configure for the default > > > > > access/config file locations? > > > > > > > > For the ./configure args, I usually use: > > > > > > > > $ ./configure --prefix=/usr --sysconfdir=/etc > > > > > > > > Then the access.conf and fwknopd.conf files go in /etc/fwknop/ which is > > > > probably the best default location. > > > > > > > > --Mike > > > > > > > > > > > > > Thanks, > > > > > -karthik > > > > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 > > > > > 15:55:59.000000000 -0500 > > > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 > > > > > 08:14:38.618453300 -0400 > > > > > @@ -882,19 +882,34 @@ > > > > > add_jump_rule(opts, IPT_DNAT_ACCESS); > > > > > > > > > > zero_cmd_buffers(); > > > > > - > > > > > - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " > > > > > IPT_ADD_DNAT_RULE_ARGS, > > > > > - opts->fw_config->fw_command, > > > > > - dnat_chain->table, > > > > > - dnat_chain->to_chain, > > > > > - fst_proto, > > > > > - spadat->use_src_ip, > > > > > - fst_port, > > > > > - exp_ts, > > > > > - dnat_chain->target, > > > > > - nat_ip, > > > > > - nat_port > > > > > - ); > > > > > + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG) > > > > > + { > > > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " > > > > > IPT_ADD_REDIRECT_RULE_ARGS, > > > > > + opts->fw_config->fw_command, > > > > > + dnat_chain->table, > > > > > + dnat_chain->to_chain, > > > > > + fst_proto, > > > > > + spadat->use_src_ip, > > > > > + fst_port, > > > > > + exp_ts, > > > > > + nat_port > > > > > + ); > > > > > + } > > > > > + else > > > > > + { > > > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " > > > > > IPT_ADD_DNAT_RULE_ARGS, > > > > > + opts->fw_config->fw_command, > > > > > + dnat_chain->table, > > > > > + dnat_chain->to_chain, > > > > > + fst_proto, > > > > > + spadat->use_src_ip, > > > > > + fst_port, > > > > > + exp_ts, > > > > > + dnat_chain->target, > > > > > + nat_ip, > > > > > + nat_port > > > > > + ); > > > > > + } > > > > > > > > > > res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0); > > > > > > > > > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 > > > > > 15:55:59.000000000 -0500 > > > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 > > > > > 08:10:36.242318088 -0400 > > > > > @@ -39,6 +39,7 @@ > > > > > #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i > > > > > -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > > > #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s > > > > > --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s > > > > > 2>&1" > > > > > #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i > > > > > -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s > > > > > --to-destination %s:%i 2>&1" > > > > > +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport > > > > > %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT > > > > > --to-ports %i 2>&1" > > > > > #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i > > > > > -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" > > > > > #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m > > > > > comment --comment " TMP_COMMENT " -j %s 2>&1" > > > > > #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" > > > > > > > > > ------------------------------------------------------------------------------ > > > > > Symantec Endpoint Protection 12 positioned as A LEADER in The > > > > > Forrester > > > > > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in > > > > > the > > > > > endpoint security space. For insight on selecting the right partner > > > > > to > > > > > tackle endpoint security challenges, access the full report. > > > > > http://p.sf.net/sfu/symantec-dev2dev > > > > > > > > > _______________________________________________ > > > > > Fwknop-discuss mailing list > > > > > [email protected] > > > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Everyone hates slow websites. So do we. > > > > Make your web apps faster with AppDynamics > > > > Download AppDynamics Lite for free today: > > > > http://p.sf.net/sfu/appdyn_d2d_mar > > > > _______________________________________________ > > > > Fwknop-discuss mailing list > > > > [email protected] > > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > > > --- fwknop-2.0.4/client/fwknop.c 2012-12-09 15:55:59.000000000 -0500 > > > +++ fwknop-2.0.4-patched/client/fwknop.c 2013-03-15 21:24:44.853864258 > > > -0400 > > > @@ -172,8 +172,16 @@ > > > } > > > else > > > { > > > - snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > > > - options.allow_ip_str, ",", "none/0"); > > > + if(options.nat_rand_port) > > > + { > > > + snprintf(access_buf, MAX_LINE_LEN, "%s%stcp/%d", > > > + options.allow_ip_str, ",", get_rand_port(ctx)); > > > + } > > > + else > > > + { > > > + snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > > > + options.allow_ip_str, ",", "none/0"); > > > + } > > > } > > > } > > > res = fko_set_spa_message(ctx, access_buf); > > > @@ -492,9 +500,9 @@ > > > char nat_access_buf[MAX_LINE_LEN] = ""; > > > int nat_port = 0; > > > > > > - if (options->nat_rand_port) > > > + /*if (options->nat_rand_port) > > > nat_port = get_rand_port(ctx); > > > - else if (options->nat_port) > > > + else */if (options->nat_port) > > > nat_port = options->nat_port; > > > else > > > nat_port = DEFAULT_NAT_PORT; > > > > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics > > Download AppDynamics Lite for free today: > > http://p.sf.net/sfu/appdyn_d2d_mar > > _______________________________________________ > > Fwknop-discuss mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
