On Oct 23, 2011, Frank Ness wrote: > Just to add a little to my explanation below. I have now discovered that my > solution doesn't work if you start fwknopd from an init.d script. I guess it > has something to do with the path. Anyway, you can solve it by setting the > FIREWALL_EXE line in fwknopd.conf to /opt/sbin/iptables. Turns out that is > where the main executable goes. With this setting fwknopd works both when you > start it manualy and when you start it from a init.d script.
Cool, absolute paths are usually better. Thanks for the update. --Mike > From: frank_n...@live.com > To: m...@cipherdyne.org; fwknop-discuss@lists.sourceforge.net > Date: Sat, 22 Oct 2011 23:21:25 +0200 > Subject: Re: [Fwknop-discuss] Cannot create iptables rules using fwknop on > dd-wrt > > > > > > Hi Mike, > > Thanks man, that information helped me solve the problem. I'll explain what > the problem is below for the benefit of others. > > I use the recomended build of dd-wrt (14929). That build ships with a pretty > ancient version of iptables (1.3.7). If you run > > # iptables -I INPUT -p tcp --dport 12345 -m comment --comment "testing" -j > ACCEPT > > the command finishes without any error messages. The syslog is also clean. > However if you check using iptables -L there is no corresponding rule. BTW > the exit code of the command is 0 so I don't think your program is to blame > for not detecting the error. > > To solve the problem I upgraded using optware to iptables version 1.4.9. At > this point it is important to reboot the router. Only after the router comes > back up iptables 1.4.9 is running. If you try to run > > # iptables -I INPUT -p tcp --dport 12345 -m comment --comment "testing" -j > ACCEPT > > the rule is added correctly to iptables. > > Now for the weird part. To get fwknop to run you have to change the > FIREWALL_EXE line in fwknopd.conf from /usr/sbin/iptables to iptables and NOT > to /opt/usr/sbin/iptables (the location for the new iptables program). I > figured that out by running: > > iptables -V result: iptables v1.4.9 > /usr/sbin/iptables -V result: iptables v1.3.7 > /opt/usr/sbin/iptables -V result: iptables v1.3.7 > also running whereis iptables yields iptables: /usr/sbin/iptables > > So for some reason the system has a little trouble finding iptables, however > if the FIREWALL_EXE line in fwknopd.conf is set to iptables there are no more > problems and I am able to reach sshd from my phone! Running fwknopd --fw-list > shows the rules perfectly. > > > You asked about compiling fwknopd for dd-wrt. It was my first compilation of > a program and all in all I say that it went pretty smooth. The process for > compiling a package for optware / dd-wrt is documented on > http://www.nslu2-linux.org/wiki/Optware/AddAPackageToOptware > It is important to note that you can't compile on a recent version of Ubuntu > but that you need 8.04 or some other older version. I solved that by running > the whole proces in a virtualbox. When you compile the toolchain you have to > resort to some tricks to get the right files the beast needs, but that is al > solveable. > > The biggest problem were a lot of malloc and realloc errors during > compilation. With some googling i worked out that by putting > > export jm_cv_func_working_malloc=yes > export ac_cv_func_malloc_0_nonnull=yes > export ac_cv_func_rpl_realloc_0_nonnull=yes > export ac_cv_func_realloc_0_nonnull=yes > > in the make file the problem could be solved. But I think it is an ugly fix > and I'm pretty sure some of these lines are redundant or wrong. > > The options I used to compile fwknopd are > > --build=$(GNU_HOST_NAME) \ > --host=$(GNU_TARGET_NAME) \ > --target=$(GNU_TARGET_NAME) \ > For these three the variable is supplied by the dd-wrt/optware part of the > make file set. I don't know what it is set to, but since I now have a working > version of fwknopd I don't realy care. > > I supplies the following options myself > --disable-client \ > I only wanted to try the server. Maybe I'll compile the client too, but for > now I dont see the need. (At least not on a router.) > > --disable-static \ > When I didn't use this option the compilation proces finished without errors > but when I checked the ipk file the program complained about something to do > with a static libary . Don't realy know what the problem was. Using this > option got rid of it. > > --with-iptables=/usr/sbin/iptables \ > I'm going to recompile the program and I'll change this option to > --with-iptables=iptables that way fwknop should work more out of the box. > > --prefix=/opt \ > Optware is installed in /opt > > --program-prefix="" \ > If you don't use this option the fwknopd program gets the prefix > mipsel-linux. I don't want that. > > --disable-pie \ > This is the most important option. If you don't use this option the program > will compile without errors, but it will seg fault upon running on the > router. I found some references on other programs seg faulting on dd-wrt if > pie was enabled, so i guess that dd-wrt doesn't support pie. > > When I'm done testing I'll see if I can't upload the make file to optware / > dd-wrt, unless of course you don't want me to. However I'm a bit hesitant as > this is the first time I compiled a program and I dont want to put a lot of > people at risk with a faulty compilation. Also I have to figure out how to > upload the make file. > > Do send me an e-mail when you have the test suite more up and running. It > would be interesting to test it. > > Thanks for the help and your nice program, > > Frank > > > Date: Sat, 22 Oct 2011 13:45:31 -0400 > > From: m...@cipherdyne.org > > To: fwknop-discuss@lists.sourceforge.net > > Subject: Re: [Fwknop-discuss] Cannot create iptables rules using fwknop on > > dd-wrt > > > > On Oct 22, 2011, Frank Ness wrote: > > > > > > > > Hi, > > > > Hello Frank, > > > > > First of all apologies if this is a double post. I seem to have some > > > trouble posting to the list. > > > > Not a double post - this one made it through. > > > > > The good news is I think I have succeded in succesfully compiling fwknopd > > > to dd-wrt using optware. The program compiled without errors and runs on > > > my router. The bad news is that it doesn't seem to create iptables rules > > > needed. > > > > > > If I start fwknopd and send a SPA packet from my android phone to my > > > router fwknopd responds with: > > > > > > Using Digest Cache: '/var/run/fwknop/digest.cache' (entry count = 0) > > > Added jump rule from chain: INPUT to chain: FWKNOP_INPUT > > > PCAP filter is: udp port 62201 > > > Starting fwknopd main event loop. > > > SPA Packet from IP: <my phone ip> received. > > > SPA Packet: > > > '+0e+uMnhekbCqfB1tHSenxfiiCrtkaxSJJzBNA5FfYiX1pmMC1cO5MhxmorkfGS2+z723Jd2Aj/4Y4oPNn1MmXQ9gc8yAziJGe0Rkiqt9GCwmXGzWzDVFiWPXg9zLDA9Az/xW2SIaEGudbGEn3hXqnb1O0HEJy74TlOvgjP8obBNlSMyucX4aw' > > > Added Rule to FWKNOP_INPUT for <my phone ip>, tcp/8822 expires at > > > 1319299103 > > > > The above looks normal. However, can you confirm that the iptables 'comment' > > match is compiled into the dd-wrt kernel? The "Added Rule..." message above > > should indicate that it's there because fwknopd checks the exit status of > > the iptables command it uses to add the rule, but I think it would be good > > to check manually just to be sure. Does this command generate any errors?: > > > > # iptables -I INPUT -p tcp --dport 12345 -m comment --comment "testing" -j > > ACCEPT > > > > > However I cannot reach ssh on my router. If I run (from a different ssh > > > session) iptables -L I can see some entries relating to fwknopd. I get > > > > > > # iptables -L > > > Chain INPUT (policy ACCEPT) > > > target prot opt source destination > > > FWKNOP_INPUT 0 -- anywhere anywhere > > > > > > Immediately after that I get some iptables rules I put in myslef. Then > > > after quite a lot more lines i get > > > > > > Chain FWKNOP_INPUT (1 references) > > > target prot opt source destination > > > Chain advgrp_1 (0 references) > > > > > > And the output continues but with no references to either my phone ip > > > address or port 8822. > > > > You can list just the fwknopd rules with: > > > > # fwknopd --fw-list > > > > This may help interpret things if the iptables rule set is really large. If > > you try generating the SPA packet once again and immediately after can you > > execute the --fw-list command above? This will help to confirm whether > > fwknopd is actually able to add any corresponding access rule for the SPA > > packet. If the rule exists, then we'll need to investigate how fwknopd is > > adding the jump rule w.r.t. the rest of the policy. > > > > > Then after a while fwknop tells me: > > > > > > Did not find expire comment in rules list 0. > > > > This makes me think that the 'comment' match may not exist.. > > > > > I'm stuck. As far as I can tell fwknopd runs without errors and can > > > access iptables because I can see entries relating to fwknop in my > > > iptables. These entries disappear (as they should) when I close fwknopd > > > and reapear when I start fwknopd again. However, no iptables rules are > > > created. > > > > > > Does anyone have a suggestion to solve this problem? Am I configuring > > > fwknopd.conf or access.conf wrong? the output of fwknopd -D is attached > > > below > > > > That configuration looks good to me. > > > > Btw, I'm currently developing a test suite for fwknop: > > > > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=shortlog;h=refs/heads/test_suite > > > > Once this is complete (another week or so) it may be interesting to try it > > out on your dd-wrt system. I'll send you an email once it is closer to > > being ready. > > > > On dd-wrt did you need to do anything special to get fwknop to compile? It's > > cool to see that it compiles properly on another platform. > > > > Thanks, > > > > --Mike > > > > > > > Thanks, > > > > > > Frank > > > > > > output of fwknopd -D > > > # fwknopd -D > > > Current fwknopd config settings: > > > 0. CONFIG_FILE = '/opt/etc/fwknop/fwknopd.conf' > > > 1. OVERRIDE_CONFIG = '<not set>' > > > 2. PCAP_INTF = 'vlan2' > > > 3. ENABLE_PCAP_PROMISC = 'N' > > > 4. PCAP_FILTER = 'udp port 62201' > > > 5. MAX_SNIFF_BYTES = '1500' > > > 6. ENABLE_SPA_PACKET_AGING = 'Y' > > > 7. MAX_SPA_PACKET_AGE = '120' > > > 8. ENABLE_DIGEST_PERSISTENCE = 'Y' > > > 9. CMD_EXEC_TIMEOUT = '<not set>' > > > 10. ENABLE_SPA_OVER_HTTP = 'N' > > > 11. ENABLE_TCP_SERVER = 'N' > > > 12. TCPSERV_PORT = '62201' > > > 13. LOCALE = '<not set>' > > > 14. SYSLOG_IDENTITY = 'fwknopd' > > > 15. SYSLOG_FACILITY = 'LOG_DAEMON' > > > 16. ENABLE_IPT_FORWARDING = 'N' > > > 17. ENABLE_IPT_LOCAL_NAT = 'Y' > > > 18. ENABLE_IPT_SNAT = 'N' > > > 19. SNAT_TRANSLATE_IP = '<not set>' > > > 20. ENABLE_IPT_OUTPUT = 'N' > > > 21. FLUSH_IPT_AT_INIT = 'Y' > > > 22. FLUSH_IPT_AT_EXIT = 'Y' > > > 23. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1' > > > 24. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1' > > > 25. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1' > > > 26. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1' > > > 27. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1' > > > 28. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, > > > FWKNOP_POSTROUTING, 1' > > > 29. FWKNOP_RUN_DIR = '/var/run/fwknop' > > > 30. FWKNOP_CONF_DIR = '/opt/etc/fwknop' > > > 31. ACCESS_FILE = '/opt/etc/fwknop/access.conf' > > > 32. FWKNOP_PID_FILE = '/var/run/fwknop/fwknopd.pid' > > > 33. DIGEST_FILE = '/var/run/fwknop/digest.cache' > > > 34. GPG_HOME_DIR = '/root/.gnupg' > > > 35. FIREWALL_EXE = '/usr/sbin/iptables' > > > Current fwknopd access settings: > > > SOURCE (1): ANY > > > ============================================================== > > > OPEN_PORTS: tcp/8822,tcp/22 > > > RESTRICT_PORTS: <not set> > > > KEY: <see the access.conf file> > > > FW_ACCESS_TIMEOUT: 30 > > > ENABLE_CMD_EXEC: No > > > CMD_EXEC_USER: <not set> > > > REQUIRE_USERNAME: <not set> > > > REQUIRE_SOURCE_ADDRESS: No > > > GPG_HOME_DIR: <not set> > > > GPG_DECRYPT_ID: <not set> > > > GPG_DECRYPT_PW: <see the access.conf file> > > > GPG_REQUIRE_SIG: No > > > GPG_IGNORE_SIG_VERIFY_ERROR: No > > > GPG_REMOTE_ID: <not set> > > > > > > > > > > > ------------------------------------------------------------------------------ > > > The demand for IT networking professionals continues to grow, and the > > > demand for specialized networking skills is growing even more rapidly. > > > Take a complimentary Learning@Cisco Self-Assessment and learn > > > about Cisco certifications, training, and career opportunities. > > > http://p.sf.net/sfu/cisco-dev2dev > > > > > _______________________________________________ > > > Fwknop-discuss mailing list > > > Fwknop-discuss@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > ------------------------------------------------------------------------------ > > The demand for IT networking professionals continues to grow, and the > > demand for specialized networking skills is growing even more rapidly. > > Take a complimentary Learning@Cisco Self-Assessment and learn > > about Cisco certifications, training, and career opportunities. > > http://p.sf.net/sfu/cisco-dev2dev > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwknop-discuss@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > ------------------------------------------------------------------------------ > The demand for IT networking professionals continues to grow, and the demand > for specialized networking skills is growing even more rapidly. Take a > complimentary Learning@Cisco Self-Assessment and learn about Cisco > certifications, training, and career opportunities. > http://p.sf.net/sfu/cisco-dev2dev > _______________________________________________ Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > ------------------------------------------------------------------------------ > The demand for IT networking professionals continues to grow, and the > demand for specialized networking skills is growing even more rapidly. > Take a complimentary Learning@Cisco Self-Assessment and learn > about Cisco certifications, training, and career opportunities. > http://p.sf.net/sfu/cisco-dev2dev > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
