On Thu, Jul 2, 2015 at 7:58 PM, Kevin Layer <[email protected]> wrote:
> After the A knock:
>
> fwknopd[23853]: (stanza #1) SPA Packet from IP: SOURCE received with
> access source match
> fwknopd[23853]: Added local NAT rule to FWKNOP_INPUT for SOURCE ->
> 0.0.0.0/0 tcp/10001, expires at 1435882057
> fwknopd[23853]: Added DNAT rule to FWKNOP_PREROUTING for SOURCE ->
> 0.0.0.0/0 tcp/10001, expires at 1435882057
>
> After the B knock:
>
> fwknopd[23853]: (stanza #1) SPA Packet from IP: SOURCE received with
> access source match
> fwknopd[23853]: [SOURCE] (stanza #1) One or more requested
> protocol/ports was denied per access.conf.
> fwknopd[23853]: (stanza #2) SPA Packet from IP: SOURCE received with
> access source match
> fwknopd[23853]: Added FORWARD rule to FWKNOP_FORWARD for SOURCE ->
> 192.168.0.5 tcp/10002, expires at 1435882080
>
> I meant to ask: should there be a DNAT rule after knocking on B?
>
Yes, indeed there should be a DNAT rule in the FWKNOP_PREROUTING chain.
> Btw, I added "Port 10002" to B's sshd_config and it didn't help.
>
This should not be necessary. The 192.168.0.5 system should only see an
incoming connection from port 22, which has been DNAT'd from port 10002 on
the external interface of the firewall. This is made possible with the
power of NAT. I'm assuming that 192.168.0.5 is a separate system behind the
firewall. Also, I'm assuming that the external IP of the firewall (system A
in your example) is on a different network than your 192.168.0.0/24 (or
whatever mask you use). This is an important point. If not, you can still
get things working, but you will also need to add SNAT rules into the mix.
I believe that I have this scenario working with the configs mentioned
below. Note that the 10.211.55.0/24 network is "external" to the
192.168.0.0/24 network in my example. Here is what the fwknopd log messages
look like upon sending an SPA packet with 'fwknop -n B':
# fwknopd -i eth0 -f
(stanza #1) SPA Packet from IP: 10.211.55.2 received with access source
match
[10.211.55.2] (stanza #1) Error creating fko context: Decryption failed or
decrypted data is invalid
(stanza #2) SPA Packet from IP: 10.211.55.2 received with access source
match
Added FORWARD rule to FWKNOP_FORWARD for 10.211.55.2 -> 192.168.0.5
tcp/10002, expires at 1435890757
Added DNAT rule to FWKNOP_PREROUTING for 10.211.55.2 -> 0.0.0.0/0
tcp/10002, expires at 1435890757
... and to see what the rules are themselves:
# fwknopd --fw-list
Listing rules in fwknopd iptables chains...
Chain FWKNOP_INPUT (1 references)
num target prot opt source destination
Chain FWKNOP_FORWARD (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 10.211.55.2 192.168.0.5 tcp
dpt:22 /* _exp_1435890757 */
Chain FWKNOP_PREROUTING (1 references)
num target prot opt source destination
1 DNAT tcp -- 10.211.55.2 0.0.0.0/0 tcp
dpt:10002 /* _exp_1435890757 */ to:192.168.0.5:22
Here are the configs that make this work. Note that 10.211.55.3 below is
the IP assigned to the external interface eth0 on the firewall - this makes
the --nat-local request work for the first stanza. In your example, you
would replace each instance of this IP with whatever IP is on the external
interface of your firewall, and this applies to both the client and the
server:
# cat /etc/fwknop/access.conf
SOURCE ANY
OPEN_PORTS tcp/10001
KEY somekey
FW_ACCESS_TIMEOUT 60
FORCE_NAT 10.211.55.3 22
SOURCE ANY
OPEN_PORTS tcp/10002
KEY fwknoptest
FW_ACCESS_TIMEOUT 60
FORCE_NAT 192.168.0.5 22
# cat /etc/fwknop/fwknopd.conf
ENABLE_IPT_FORWARDING Y;
$ cat ~/.fwknoprc
[default]
ALLOW_IP source
[A]
SPA_SERVER 10.211.55.3
KEY somekey
ACCESS tcp/10001
NAT_ACCESS 192.168.0.1,22
[B]
SPA_SERVER 10.211.55.3
KEY somekey
ACCESS tcp/10002
On the client command line, you would use:
$ fwknop --nat-local -n A
... and:
$ fwknop -n B
One minor point about the above as well - the fwknop-2.0.4 client isn't
able to read the KEY variable from the ~/.fwknoprc file, but newer clients
can.
Thanks,
--Mike
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
