On Mar 22, 2013, Will D. Spann wrote: > I've been trying out the --NAT-local functionality with v2.0.3 (on Linux > Mint) & v2.0.0-rc1 (on OpenWRT), and I've observed that ENABLE_IPT_FORWARDING > must be enabled in fwknopd.conf, otherwise the FWKNOP_PREROUTING chain is not > created in the 'nat' table (under iptables). This seems to effectively > prevent --NAT-local usage from working at all, as the necessary DNAT rule is > not generated. > > From my reading of the fwknopd documentation, it seems that having > ENABLE_IPT_LOCAL_NAT enabled should be sufficient to enable --NAT-local > functionality. (I understand that ENABLE_IPT_FORWARDING is required forĀ > --NAT-access access to machines behind the firewall running fwknopd.) Am I > misunderstanding the meaning of these options, or could this be a bug? I have > not yet tested this in v2.0.4, but I didn't find any mention of this problem > in the changelog.
Indeed the ENABLE_IPT_FORWARDING config is required for all NAT operations, and here is the relevant code: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=blob;f=server/incoming_spa.c;h=67929c20a36956fc54391ab0d3b15c25f540e2ae;hb=7bd0da29c42768ca5a8f48a8d1813c12dff363d4#l649 The server is written to be restrictive in terms of what clients can request, and in this case even though --NAT-local implies that the local system running fwknopd is being accessed, the NAT table must be interacted with and therefore ENABLE_IPT_FORWARDING must be enabled. It's sort of the general gate to determine whether any NAT capabilities are offered to valid SPA clients. One thing that will be changing in future releases is that more NAT capabilities will be integrated with the access.conf file in order to offer more granular control on a per access stanza basis. Thanks, --Mike > Thanks, > > Will D. Spann > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
