Here's the situation: I have two machines, A (firewall, fwknopd) and B
(internal, same network as firewall). I want to ssh into *both* of
them after knocking.
What I've found is that I can get to A when ENABLE_IPT_LOCAL_NAT is Y
and B when it's N. I can't get to both with the same configuration.
I'd like to get to both.
/etc/fwknop/access.conf:
SOURCE: ANY;
OPEN_PORTS: tcp/10001;
KEY: ...;
FW_ACCESS_TIMEOUT: 3600;
SOURCE: ANY;
OPEN_PORTS: tcp/10002;
KEY: ...;
FW_ACCESS_TIMEOUT: 3600;
/etc/fwknop/fwknopd.conf:
PCAP_INTF wan;
ENABLE_IPT_FORWARDING Y;
ENABLE_IPT_LOCAL_NAT Y;
On the client side:
[default]
ALLOW_IP source
[A]
SPA_SERVER A
ACCESS tcp/10001
NAT_ACCESS 192.168.0.1,22
[B]
SPA_SERVER A
ACCESS tcp/10002
NAT_ACCESS 192.168.0.5,22
The sshd's on A and B listen on port 22.
ENABLE_IPT_LOCAL_NAT=Y
$ fwknop --nat-local -n A
$ ssh -p 10001 A
fwknopd[20631]: (stanza #1) SPA Packet from IP: SOURCE received with access
source match
fwknopd[20631]: Added local NAT rule to FWKNOP_INPUT for SOURCE -> 0.0.0.0/0
tcp/10001, expires at 1435782645
fwknopd[20631]: Added DNAT rule to FWKNOP_PREROUTING for SOURCE -> 0.0.0.0/0
tcp/10001, expires at 1435782645
and
Chain FWKNOP_FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain FWKNOP_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- * * SOURCE 0.0.0.0/0
tcp dpt:10001 /* _exp_1435782645 */ to:192.168.0.1:22
but this doesn't get through to B's port 22:
$ fwknop -n B
$ ssh -p 10002 A
relay fwknopd[20631]: (stanza #1) SPA Packet from IP: SOURCE received with
access source match
relay fwknopd[20631]: [SOURCE] (stanza #1) One or more requested protocol/ports
was denied per access.conf.
relay fwknopd[20631]: (stanza #2) SPA Packet from IP: SOURCE received with
access source match
relay fwknopd[20631]: Added FORWARD rule to FWKNOP_FORWARD for SOURCE ->
192.168.0.5 tcp/10002, expires at 1435782795
Chain FWKNOP_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * SOURCE 192.168.0.5
tcp dpt:22 /* _exp_1435782795 */
ENABLE_IPT_LOCAL_NAT=N
$ fwknop -n B
$ ssh -p 10002 A
Jul 1 12:37:49 relay fwknopd[21245]: (stanza #1) SPA Packet from IP: SOURCE
received with access source match
Jul 1 12:37:49 relay fwknopd[21245]: [SOURCE] (stanza #1) One or more
requested protocol/ports was denied per access.conf.
Jul 1 12:37:49 relay fwknopd[21245]: (stanza #2) SPA Packet from IP: SOURCE
received with access source match
Jul 1 12:37:49 relay fwknopd[21245]: Added FORWARD rule to FWKNOP_FORWARD for
SOURCE -> 192.168.0.5 tcp/10002, expires at 1435783069
Jul 1 12:37:49 relay fwknopd[21245]: Added DNAT rule to FWKNOP_PREROUTING for
SOURCE -> 0.0.0.0/0 tcp/10002, expires at 1435783069
Chain FWKNOP_FORWARD (1 references)
pkts bytes target prot opt in out source destination
24 4525 ACCEPT tcp -- * * SOURCE 192.168.0.5
tcp dpt:22 /* _exp_1435783069 */
Chain FWKNOP_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- * * SOURCE 0.0.0.0/0
tcp dpt:10002 /* _exp_1435783069 */ to:192.168.0.5:22
but this doesn't work:
$ fwknop -n A
$ ssh -p 10001 A
Jul 1 12:41:50 relay fwknopd[21683]: (stanza #1) SPA Packet from IP: SOURCE
received with access source match
$ fwknop --nat-local -n A
$ ssh -p 10001 A
Jul 1 12:42:30 relay fwknopd[21683]: (stanza #1) SPA Packet from IP: SOURCE
received with access source match
Jul 1 12:42:30 relay fwknopd[21683]: Added local NAT rule to FWKNOP_INPUT for
SOURCE -> 0.0.0.0/0 tcp/10001, expires at 1435783350
but the ssh to 10001 fails.
Ideas?
Thanks.
Kevin
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
