On Oct 22, 2011, Frank Ness wrote: > > Hi Mike, Thanks man, that information helped me solve the problem. I'll > explain what the problem is below for the benefit of others. I use the > recomended build of dd-wrt (14929). That build ships with a pretty ancient > version of iptables (1.3.7). If you run # iptables -I INPUT -p tcp --dport > 12345 -m comment --comment "testing" -j ACCEPT > the command finishes without any error messages. The syslog is also clean. > However if you check using iptables -L there is no corresponding rule. BTW > the exit code of the command is 0 so I don't think your program is to blame > for not detecting the error. To solve the problem I upgraded using optware > to iptables version 1.4.9. At this point it is important to reboot the > router. Only after the router comes back up iptables 1.4.9 is running. If you > try to run # iptables -I INPUT -p tcp --dport 12345 -m comment --comment > "testing" -j ACCEPT the rule is added correctly to iptables. Now for the > weird part. To get fwknop to run you have to change the FIREWALL_EXE line in > fwknopd.conf from /usr/sbin/iptables to iptables and NOT to > /opt/usr/sbin/iptables (the location for the new iptables program). I figured > that out by running: iptables -V result: iptables v1.4.9/usr/sbin/iptables -V > result: iptables v1.3.7/opt/usr/sbin/iptables -V result: iptables v1.3.7also > running whereis iptables yields iptables: /usr/sbin/ipt > ables
Glad to hear that upgrading iptables fixed the problem. The comment match is important for fwknop as it is used to track the expiration time for new rules. I may add some additional checking to fwknopd to see whether the comment match seems to be working properly. > So for some reason the system has a little trouble finding iptables, however > if the FIREWALL_EXE line in fwknopd.conf is set to iptables there are no more > problems and I am able to reach sshd from my phone! Running fwknopd --fw-list > shows the rules perfectly. You asked about compiling fwknopd for dd-wrt. It > was my first compilation of a program and all in all I say that it went > pretty smooth. The process for compiling a package for optware / dd-wrt is > documented on http://www.nslu2-linux.org/wiki/Optware/AddAPackageToOptwareIt > is important to note that you can't compile on a recent version of Ubuntu but > that you need 8.04 or some other older version. I solved that by running the > whole proces in a virtualbox. When you compile the toolchain you have to > resort to some tricks to get the right files the beast needs, but that is al > solveable. The biggest problem were a lot of malloc and realloc errors > during compilation. With some googling i worked out that by putting export > jm_cv_func_working_malloc=yesexport > ac_cv_func_malloc_0_nonnull=yesexport > ac_cv_func_rpl_realloc_0_nonnull=yesexport ac_cv_func_realloc_0_nonnull=yes > in the make file the problem could be solved. But I think it is an ugly fix > and I'm pretty sure some of these lines are redundant or wrong. The options > I used to compile fwknopd are --build=$(GNU_HOST_NAME) \ > --host=$(GNU_TARGET_NAME) \ --target=$(GNU_TARGET_NAME) \For > these three the variable is supplied by the dd-wrt/optware part of the make > file set. I don't know what it is set to, but since I now have a working > version of fwknopd I don't realy care. I supplies the following options > myself--disable-client \I only wanted to try the server. Maybe I'll compile > the client too, but for now I dont see the need. (At least not on a router.) > --disable-static \When I didn't use this option the compilation proces > finished without errors but when I checked the ipk file the program > complained about something to do with a static libary . Don't realy know what > the problem was. Using this option got ri > d of it. --with-iptables=/usr/sbin/iptables \I'm going to recompile the > program and I'll change this option to --with-iptables=iptables that way > fwknop should work more out of the box. --prefix=/opt \Optware is > installed in /opt --program-prefix="" \If you don't use this option the > fwknopd program gets the prefix mipsel-linux. I don't want that. > --disable-pie \This is the most important option. If you don't use this > option the program will compile without errors, but it will seg fault upon > running on the router. I found some references on other programs seg faulting > on dd-wrt if pie was enabled, so i guess that dd-wrt doesn't support pie. > When I'm done testing I'll see if I can't upload the make file to optware / > dd-wrt, unless of course you don't want me to. However I'm a bit hesitant as > this is the first time I compiled a program and I dont want to put a lot of > people at risk with a faulty compilation. Also I have to figure out how to > upload the make file. Do send me an e-mail when you have the test suite more > up and running. It would be interesting to test it. Thanks for the help and > your nice program, Frank> Date: Sat, 22 Oct 2011 13:45:31 -0400 Please go ahead and upload the Makefile to optware / dd-wrt whenever you feel comfortable with it. You may get some valuable feedback that could be incorporated within the fwknop sources - like we've done for openwrt (thanks to Jonathan Bennett): http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=blob;f=extras/openwrt/README.openwrt;h=28fd51d5a9f3cb57db6eea3f07233a3aef591c72;hb=refs/heads/fwknop-2.0.0 Thanks, --Mike > > From: m...@cipherdyne.org > > To: fwknop-discuss@lists.sourceforge.net > > Subject: Re: [Fwknop-discuss] Cannot create iptables rules using fwknop on > > dd-wrt > > > > On Oct 22, 2011, Frank Ness wrote: > > > > > > > > Hi, > > > > Hello Frank, > > > > > First of all apologies if this is a double post. I seem to have some > > > trouble posting to the list. > > > > Not a double post - this one made it through. > > > > > The good news is I think I have succeded in succesfully compiling fwknopd > > > to dd-wrt using optware. The program compiled without errors and runs on > > > my router. The bad news is that it doesn't seem to create iptables rules > > > needed. > > > > > > If I start fwknopd and send a SPA packet from my android phone to my > > > router fwknopd responds with: > > > > > > Using Digest Cache: '/var/run/fwknop/digest.cache' (entry count = 0) > > > Added jump rule from chain: INPUT to chain: FWKNOP_INPUT > > > PCAP filter is: udp port 62201 > > > Starting fwknopd main event loop. > > > SPA Packet from IP: <my phone ip> received. > > > SPA Packet: > > > '+0e+uMnhekbCqfB1tHSenxfiiCrtkaxSJJzBNA5FfYiX1pmMC1cO5MhxmorkfGS2+z723Jd2Aj/4Y4oPNn1MmXQ9gc8yAziJGe0Rkiqt9GCwmXGzWzDVFiWPXg9zLDA9Az/xW2SIaEGudbGEn3hXqnb1O0HEJy74TlOvgjP8obBNlSMyucX4aw' > > > Added Rule to FWKNOP_INPUT for <my phone ip>, tcp/8822 expires at > > > 1319299103 > > > > The above looks normal. However, can you confirm that the iptables > > 'comment' > > match is compiled into the dd-wrt kernel? The "Added Rule..." message above > > should indicate that it's there because fwknopd checks the exit status of > > the iptables command it uses to add the rule, but I think it would be good > > to check manually just to be sure. Does this command generate any errors?: > > > > # iptables -I INPUT -p tcp --dport 12345 -m comment --comment "testing" -j > > ACCEPT > > > > > However I cannot reach ssh on my router. If I run (from a different ssh > > > session) iptables -L I can see some entries relating to fwknopd. I get > > > > > > # iptables -L > > > Chain INPUT (policy ACCEPT) > > > target prot opt source destination > > > FWKNOP_INPUT 0 -- anywhere anywhere > > > > > > Immediately after that I get some iptables rules I put in myslef. Then > > > after quite a lot more lines i get > > > > > > Chain FWKNOP_INPUT (1 references) > > > target prot opt source destination > > > Chain advgrp_1 (0 references) > > > > > > And the output continues but with no references to either my phone ip > > > address or port 8822. > > > > You can list just the fwknopd rules with: > > > > # fwknopd --fw-list > > > > This may help interpret things if the iptables rule set is really large. If > > you try generating the SPA packet once again and immediately after can you > > execute the --fw-list command above? This will help to confirm whether > > fwknopd is actually able to add any corresponding access rule for the SPA > > packet. If the rule exists, then we'll need to investigate how fwknopd is > > adding the jump rule w.r.t. the rest of the policy. > > > > > Then after a while fwknop tells me: > > > > > > Did not find expire comment in rules list 0. > > > > This makes me think that the 'comment' match may not exist.. > > > > > I'm stuck. As far as I can tell fwknopd runs without errors and can > > > access iptables because I can see entries relating to fwknop in my > > > iptables. These entries disappear (as they should) when I close fwknopd > > > and reapear when I start fwknopd again. However, no iptables rules are > > > created. > > > > > > Does anyone have a suggestion to solve this problem? Am I configuring > > > fwknopd.conf or access.conf wrong? the output of fwknopd -D is attached > > > below > > > > That configuration looks good to me. > > > > Btw, I'm currently developing a test suite for fwknop: > > > > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=shortlog;h=refs/heads/test_suite > > > > Once this is complete (another week or so) it may be interesting to try it > > out on your dd-wrt system. I'll send you an email once it is closer to > > being ready. > > > > On dd-wrt did you need to do anything special to get fwknop to compile? > > It's > > cool to see that it compiles properly on another platform. > > > > Thanks, > > > > --Mike > > > > > > > Thanks, > > > > > > Frank > > > > > > output of fwknopd -D > > > # fwknopd -D > > > Current fwknopd config settings: > > > 0. CONFIG_FILE = '/opt/etc/fwknop/fwknopd.conf' > > > 1. OVERRIDE_CONFIG = '<not set>' > > > 2. PCAP_INTF = 'vlan2' > > > 3. ENABLE_PCAP_PROMISC = 'N' > > > 4. PCAP_FILTER = 'udp port 62201' > > > 5. MAX_SNIFF_BYTES = '1500' > > > 6. ENABLE_SPA_PACKET_AGING = 'Y' > > > 7. MAX_SPA_PACKET_AGE = '120' > > > 8. ENABLE_DIGEST_PERSISTENCE = 'Y' > > > 9. CMD_EXEC_TIMEOUT = '<not set>' > > > 10. ENABLE_SPA_OVER_HTTP = 'N' > > > 11. ENABLE_TCP_SERVER = 'N' > > > 12. TCPSERV_PORT = '62201' > > > 13. LOCALE = '<not set>' > > > 14. SYSLOG_IDENTITY = 'fwknopd' > > > 15. SYSLOG_FACILITY = 'LOG_DAEMON' > > > 16. ENABLE_IPT_FORWARDING = 'N' > > > 17. ENABLE_IPT_LOCAL_NAT = 'Y' > > > 18. ENABLE_IPT_SNAT = 'N' > > > 19. SNAT_TRANSLATE_IP = '<not set>' > > > 20. ENABLE_IPT_OUTPUT = 'N' > > > 21. FLUSH_IPT_AT_INIT = 'Y' > > > 22. FLUSH_IPT_AT_EXIT = 'Y' > > > 23. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, > > > FWKNOP_INPUT, 1' > > > 24. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, > > > FWKNOP_OUTPUT, 1' > > > 25. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, > > > FWKNOP_FORWARD, 1' > > > 26. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, > > > FWKNOP_PREROUTING, 1' > > > 27. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, > > > FWKNOP_POSTROUTING, 1' > > > 28. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, > > > FWKNOP_POSTROUTING, 1' > > > 29. FWKNOP_RUN_DIR = '/var/run/fwknop' > > > 30. FWKNOP_CONF_DIR = '/opt/etc/fwknop' > > > 31. ACCESS_FILE = '/opt/etc/fwknop/access.conf' > > > 32. FWKNOP_PID_FILE = '/var/run/fwknop/fwknopd.pid' > > > 33. DIGEST_FILE = '/var/run/fwknop/digest.cache' > > > 34. GPG_HOME_DIR = '/root/.gnupg' > > > 35. FIREWALL_EXE = '/usr/sbin/iptables' > > > Current fwknopd access settings: > > > SOURCE (1): ANY > > > ============================================================== > > > OPEN_PORTS: tcp/8822,tcp/22 > > > RESTRICT_PORTS: <not set> > > > KEY: <see the access.conf file> > > > FW_ACCESS_TIMEOUT: 30 > > > ENABLE_CMD_EXEC: No > > > CMD_EXEC_USER: <not set> > > > REQUIRE_USERNAME: <not set> > > > REQUIRE_SOURCE_ADDRESS: No > > > GPG_HOME_DIR: <not set> > > > GPG_DECRYPT_ID: <not set> > > > GPG_DECRYPT_PW: <see the access.conf file> > > > GPG_REQUIRE_SIG: No > > > GPG_IGNORE_SIG_VERIFY_ERROR: No > > > GPG_REMOTE_ID: <not set> > > > > > > > > > > > ------------------------------------------------------------------------------ > > > The demand for IT networking professionals continues to grow, and the > > > demand for specialized networking skills is growing even more rapidly. > > > Take a complimentary Learning@Cisco Self-Assessment and learn > > > about Cisco certifications, training, and career opportunities. > > > http://p.sf.net/sfu/cisco-dev2dev > > > > > _______________________________________________ > > > Fwknop-discuss mailing list > > > Fwknop-discuss@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > ------------------------------------------------------------------------------ > > The demand for IT networking professionals continues to grow, and the > > demand for specialized networking skills is growing even more rapidly. > > Take a complimentary Learning@Cisco Self-Assessment and learn > > about Cisco certifications, training, and career opportunities. > > http://p.sf.net/sfu/cisco-dev2dev > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwknop-discuss@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > ------------------------------------------------------------------------------ > The demand for IT networking professionals continues to grow, and the > demand for specialized networking skills is growing even more rapidly. > Take a complimentary Learning@Cisco Self-Assessment and learn > about Cisco certifications, training, and career opportunities. > http://p.sf.net/sfu/cisco-dev2dev > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss