On Wed, Jul 1, 2015 at 3:44 PM, Kevin Layer <[email protected]> wrote:
> Here's the situation: I have two machines, A (firewall, fwknopd) and B
> (internal, same network as firewall). I want to ssh into *both* of
> them after knocking.
>
> What I've found is that I can get to A when ENABLE_IPT_LOCAL_NAT is Y
> and B when it's N. I can't get to both with the same configuration.
> I'd like to get to both.
>
Hi Kevin,
Understood. The same encryption key is used in both stanzas, and you use
the OPEN_PORTS variable as a way to tell which one the SPA packet applies
to. Try the following: comment out the ENABLE_IPT_LOCAL_NAT variable
fwknopd.conf (fwknopd has largely switched to using the FORCE_*NAT vars in
access.conf), and then set your access.conf file like this:
SOURCE ANY
OPEN_PORTS tcp/10001
KEY ...
FORCE_NAT 192.168.0.1 22
FW_ACCESS_TIMEOUT 3600
SOURCE ANY
OPEN_PORTS tcp/10002
KEY...
FORCE_NAT 192.168.0.5 22
FW_ACCESS_TIMEOUT 3600
Then, on the client side, you can remove the NAT_ACCESS variables
altogether. You should have access then with:
$ fwknop --nat-local -n A
... and
$ fwknop -n B
Let me know if there are any issues with this.
Thanks,
--Mike
> /etc/fwknop/access.conf:
>
> SOURCE: ANY;
> OPEN_PORTS: tcp/10001;
> KEY: ...;
> FW_ACCESS_TIMEOUT: 3600;
>
> SOURCE: ANY;
> OPEN_PORTS: tcp/10002;
> KEY: ...;
> FW_ACCESS_TIMEOUT: 3600;
>
> /etc/fwknop/fwknopd.conf:
>
> PCAP_INTF wan;
> ENABLE_IPT_FORWARDING Y;
> ENABLE_IPT_LOCAL_NAT Y;
>
> On the client side:
>
> [default]
> ALLOW_IP source
>
> [A]
> SPA_SERVER A
> ACCESS tcp/10001
> NAT_ACCESS 192.168.0.1,22
>
> [B]
> SPA_SERVER A
> ACCESS tcp/10002
> NAT_ACCESS 192.168.0.5,22
>
> The sshd's on A and B listen on port 22.
>
> ENABLE_IPT_LOCAL_NAT=Y
>
> $ fwknop --nat-local -n A
> $ ssh -p 10001 A
>
> fwknopd[20631]: (stanza #1) SPA Packet from IP: SOURCE received with
> access source match
> fwknopd[20631]: Added local NAT rule to FWKNOP_INPUT for SOURCE ->
> 0.0.0.0/0 tcp/10001, expires at 1435782645
> fwknopd[20631]: Added DNAT rule to FWKNOP_PREROUTING for SOURCE ->
> 0.0.0.0/0 tcp/10001, expires at 1435782645
>
> and
>
> Chain FWKNOP_FORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> Chain FWKNOP_PREROUTING (1 references)
> pkts bytes target prot opt in out source
> destination
> 1 60 DNAT tcp -- * * SOURCE
> 0.0.0.0/0 tcp dpt:10001 /* _exp_1435782645 */ to:192.168.0.1:22
>
> but this doesn't get through to B's port 22:
>
> $ fwknop -n B
> $ ssh -p 10002 A
>
> relay fwknopd[20631]: (stanza #1) SPA Packet from IP: SOURCE received with
> access source match
> relay fwknopd[20631]: [SOURCE] (stanza #1) One or more requested
> protocol/ports was denied per access.conf.
> relay fwknopd[20631]: (stanza #2) SPA Packet from IP: SOURCE received with
> access source match
> relay fwknopd[20631]: Added FORWARD rule to FWKNOP_FORWARD for SOURCE ->
> 192.168.0.5 tcp/10002, expires at 1435782795
>
> Chain FWKNOP_FORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- * * SOURCE
> 192.168.0.5 tcp dpt:22 /* _exp_1435782795 */
>
>
> ENABLE_IPT_LOCAL_NAT=N
>
> $ fwknop -n B
> $ ssh -p 10002 A
>
> Jul 1 12:37:49 relay fwknopd[21245]: (stanza #1) SPA Packet from IP:
> SOURCE received with access source match
> Jul 1 12:37:49 relay fwknopd[21245]: [SOURCE] (stanza #1) One or more
> requested protocol/ports was denied per access.conf.
> Jul 1 12:37:49 relay fwknopd[21245]: (stanza #2) SPA Packet from IP:
> SOURCE received with access source match
> Jul 1 12:37:49 relay fwknopd[21245]: Added FORWARD rule to FWKNOP_FORWARD
> for SOURCE -> 192.168.0.5 tcp/10002, expires at 1435783069
> Jul 1 12:37:49 relay fwknopd[21245]: Added DNAT rule to FWKNOP_PREROUTING
> for SOURCE -> 0.0.0.0/0 tcp/10002, expires at 1435783069
>
> Chain FWKNOP_FORWARD (1 references)
> pkts bytes target prot opt in out source destination
> 24 4525 ACCEPT tcp -- * * SOURCE 192.168.0.5
> tcp dpt:22 /* _exp_1435783069 */
> Chain FWKNOP_PREROUTING (1 references)
> pkts bytes target prot opt in out source destination
> 1 60 DNAT tcp -- * * SOURCE 0.0.0.0/0
> tcp dpt:10002 /* _exp_1435783069 */ to:192.168.0.5:22
>
> but this doesn't work:
>
> $ fwknop -n A
> $ ssh -p 10001 A
>
> Jul 1 12:41:50 relay fwknopd[21683]: (stanza #1) SPA Packet from IP:
> SOURCE received with access source match
>
> $ fwknop --nat-local -n A
> $ ssh -p 10001 A
>
> Jul 1 12:42:30 relay fwknopd[21683]: (stanza #1) SPA Packet from IP:
> SOURCE received with access source match
> Jul 1 12:42:30 relay fwknopd[21683]: Added local NAT rule to FWKNOP_INPUT
> for SOURCE -> 0.0.0.0/0 tcp/10001, expires at 1435783350
>
> but the ssh to 10001 fails.
>
> Ideas?
>
> Thanks.
>
> Kevin
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
