>> I believe that I have this scenario working with the configs >> mentioned below. Note that the 10.211.55.0/24 network is "external" >> to the 192.168.0.0/24 network in my example. Here is what the fwknopd >> log messages look like upon sending an SPA packet with 'fwknop -n B': >> >> # fwknopd -i eth0 -f >> (stanza #1) SPA Packet from IP: 10.211.55.2 received with access >> source match >> [10.211.55.2] (stanza #1) Error creating fko context: Decryption >> failed or decrypted data is invalid >> (stanza #2) SPA Packet from IP: 10.211.55.2 received with access >> source match >> Added FORWARD rule to FWKNOP_FORWARD for 10.211.55.2 -> 192.168.0.5 >> tcp/10002, expires at 1435890757 >> Added DNAT rule to FWKNOP_PREROUTING for 10.211.55.2 -> 0.0.0.0/0 tcp >> /10002, expires at 1435890757 >> >> ... and to see what the rules are themselves: >> >> # fwknopd --fw-list >> Listing rules in fwknopd iptables chains... >> >> Chain FWKNOP_INPUT (1 references) >> num target prot opt source destination >> >> Chain FWKNOP_FORWARD (1 references) >> num target prot opt source destination >> 1 ACCEPT tcp -- 10.211.55.2 192.168.0.5 >> tcp dpt:22 /* _exp_1435890757 */ >> >> Chain FWKNOP_PREROUTING (1 references) >> num target prot opt source destination >> 1 DNAT tcp -- 10.211.55.2 0.0.0.0/0 >> tcp dpt:10002 /* _exp_1435890757 */ to:192.168.0.5:22 >> >> >> Here are the configs that make this work. Note that 10.211.55.3 below >> is the IP assigned to the external interface eth0 on the firewall - >> this makes the --nat-local request work for the first stanza. In your >> example, you would replace each instance of this IP with whatever IP >> is on the external interface of your firewall, and this applies to >> both the client and the server: >> >> # cat /etc/fwknop/access.conf >> SOURCE ANY >> OPEN_PORTS tcp/10001 >> KEY somekey >> FW_ACCESS_TIMEOUT 60 >> FORCE_NAT 10.211.55.3 22 >> >> SOURCE ANY >> OPEN_PORTS tcp/10002 >> KEY fwknoptest >> FW_ACCESS_TIMEOUT 60 >> FORCE_NAT 192.168.0.5 22 >> >> # cat /etc/fwknop/fwknopd.conf >> ENABLE_IPT_FORWARDING Y; >> >> $ cat ~/.fwknoprc >> [default] >> ALLOW_IP source >> >> [A] >> SPA_SERVER 10.211.55.3 >> KEY somekey >> ACCESS tcp/10001 >> NAT_ACCESS 192.168.0.1,22 >> >> [B] >> SPA_SERVER 10.211.55.3 >> KEY somekey >> ACCESS tcp/10002 >> >> On the client command line, you would use: >> >> $ fwknop --nat-local -n A >> >> ... and: >> >> $ fwknop -n B >> >> One minor point about the above as well - the fwknop-2.0.4 client >> isn't able to read the KEY variable from the ~/.fwknoprc file, but >> newer clients can.
Thanks, Mike. My testing shows that I can't access both A and B at the same time. After the rules for one are removed, then I can knock and access the other. Here I knock consecutively: A then B: fwknopd[22388]: (stanza #1) SPA Packet from IP: SOURCE received with access source match fwknopd[22388]: Added local NAT rule to FWKNOP_INPUT for SOURCE -> 0.0.0.0/0 tcp/10001, expires at 1435942311 fwknopd[22388]: Added DNAT rule to FWKNOP_PREROUTING for SOURCE -> 0.0.0.0/0 tcp/10001, expires at 1435942311 fwknopd[22388]: (stanza #1) SPA Packet from IP: SOURCE received with access source match fwknopd[22388]: [SOURCE] (stanza #1) One or more requested protocol/ports was denied per access.conf. fwknopd[22388]: (stanza #2) SPA Packet from IP: SOURCE received with access source match fwknopd[22388]: Added FORWARD rule to FWKNOP_FORWARD for SOURCE -> 192.168.0.5 tcp/10002, expires at 1435942315 B then A: fwknopd[23448]: (stanza #1) SPA Packet from IP: SOURCE received with access source match fwknopd[23448]: [SOURCE] (stanza #1) One or more requested protocol/ports was denied per access.conf. fwknopd[23448]: (stanza #2) SPA Packet from IP: SOURCE received with access source match fwknopd[23448]: Added FORWARD rule to FWKNOP_FORWARD for SOURCE -> 192.168.0.5 tcp/10002, expires at 1435942367 fwknopd[23448]: Added DNAT rule to FWKNOP_PREROUTING for SOURCE -> 0.0.0.0/0 tcp/10002, expires at 1435942367 fwknopd[23448]: (stanza #1) SPA Packet from IP: SOURCE received with access source match fwknopd[23448]: Added local NAT rule to FWKNOP_INPUT for SOURCE -> 0.0.0.0/0 tcp/10001, expires at 1435942369 Whatever one I knock on first, I can ssh into that host. Maybe in your testing, because the timeout is so low (60), the first rule is removed before you test the second host? Btw, my access.conf, fwknopd.conf and .fwknoprc look like yours, with my values substituted. Kevin ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
