I was about to suggest the "comment" feature as the problem.  Michael's 
solution should be the correct one.  I'm curious, though, what firmware distro 
you're using, like Openwrt/Lede, Tomato, etc?

--Jonathan Bennett

On 09/18/2016 08:13 PM, Michael Rash wrote:
> 
> 
> On Sun, Sep 18, 2016 at 8:26 PM, newsboost <newsbo...@gmail.com 
> <mailto:newsbo...@gmail.com>> wrote:
> 
>     Dear all,
> 
>     I'm a fwknop-newbie, I've been struggling with getting fwknopd to work
>     on my asus router, as I think it should  be pretty secure, compared to
>     alternatives (knockd or just ssh wide open, for everyone to see this
>     from the internet or WAN)... I'm not really sure what I make wrong, as I
>     don't understand the error messages or what fwknopd is trying to tell
>     me... Here's version details:
> 
>     ----------
> 
>     # fwknopd --version
>     fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables
>     ----------
> 
>     And below is the error messages - the output, when I try to run fwknopd
>     on my Asus router:
> 
> 
> 
> From the output below, the reason fwknopd is exiting is because it is looking 
> for the iptables 'comment' match, and it does not appear to be available. 
> This is somewhat common on routers since Linux distributions designed to work 
> there tend to reduce the features they compile in. There is a solution
> though - just run the command open/close cycle feature in fwknop-2.6.9. This 
> way, fwknopd keeps track of the timing for rule expiration itself instead of 
> using the 'comment' match.
> 
> To get this working, change your /etc/fwknop/access.conf file to add the 
> following lines to the stanza that defines your encryption/HMAC keys:
> 
> CMD_CYCLE_OPEN         /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d 
> $PORT -j ACCEPT
> 
> CMD_CYCLE_CLOSE       /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT 
> -j ACCEPT
> 
> CMD_CYCLE_TIMER        30
> 
> Please let me know if there are any issues.
> 
> Thanks,
> 
> --Mike
> 
>  
> 
> 
>     
> ----------------------------------------------------------------------------------------
> 
>     wrt54g@router:/tmp# fwknopd  -f -v
>     Opened access file: /opt/etc/fwknop/access.conf
>     Initialize access stanzas
>     ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: OPEN_PORTS: tcp/22
>          Var: OPEN_PORTS, Val: 'tcp/22'
>     ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: REQUIRE_SOURCE_ADDRESS: N
>          Var: REQUIRE_SOURCE_ADDRESS, Val: 'N'
>     ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: SOURCE              ANY
>          Var: SOURCE, Val: 'ANY'
>     ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: KEY_BASE64
>     gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc=
>          Var: KEY_BASE64, Val: 'gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc='
>     ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: HMAC_KEY_BASE64
>     
> JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg==
>          Var: HMAC_KEY_BASE64, Val:
>     
> 'JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg=='
>     Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 
> 'ANY'
>     [+] Writing my PID (2466) to the lock file: /opt/var/fwknop/fwknopd.pid
>     Starting fwknopd
>     Current fwknopd config settings:
>        0. CONFIG_FILE                  = '/opt/etc/fwknop/fwknopd.conf'
>        1. OVERRIDE_CONFIG              =  '<not set>'
>        2. PCAP_INTF                    =  'eth0'
>     ........
>     ........
>     ........
>     GPG_IGNORE_SIG_VERIFY_ERROR:  No
>                    GPG_REMOTE_ID:  <not set>
>               GPG_FINGERPRINT_ID:  <not set>
> 
> 
>     Using Digest Cache: '/opt/var/fwknop/digest.cache' (entry count = 0)
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT
>     run_extcmd(): returning 0, pid_status: 0
>     ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s
>     127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -C INPUT -s 127.0.0.2 -p udp -j ACCEPT
>     run_extcmd(): returning 0, pid_status: 0
>     ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s
>     127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
>     ipt_chk_support() -C supported
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -D INPUT 1
>     run_extcmd(): returning 0, pid_status: 0
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
>     -t filter -j FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 2
>     rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
>     FWKNOP_INPUT' (res: 0, err: iptables v1.4.21: Couldn't load target
>     `FWKNOP_INPUT':No such file or directory
> 
>     Try `iptables -h' or 'iptables --help' for more information.)
>     rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT
>     does not exist
>     jump_rule_exists_chk_support() jump rule not found
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -F FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 0
>     delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT'
>     (res: 0, err: iptables: No chain/target/match by that name.)
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -X FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 1
>     delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT'
>     (res: 0, err: iptables: No chain/target/match by that name.)
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -L FWKNOP_INPUT -n
>     run_extcmd(): returning 0, pid_status: 1
>     chain_exists() CMD: '/opt/sbin/iptables -t filter -L FWKNOP_INPUT -n'
>     (res: 0, err: iptables: No chain/target/match by that name.)
>     'filter' table 'FWKNOP_INPUT' chain exists
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -N FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 0
>     create_chain() CMD: '/opt/sbin/iptables -t filter -N FWKNOP_INPUT' (res:
>     0, err: )
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
>     -t filter -j FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 1
>     rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
>     FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
>     rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT
>     does not exist
>     jump_rule_exists_chk_support() jump rule not found
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -I INPUT 1 -j FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 0
>     add_jump_rule() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -j
>     FWKNOP_INPUT' (res: 0, err: )
>     Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -I INPUT 1 -s 127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT
>     run_extcmd(): returning 0, pid_status: 0
>     comment_match_exists() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s
>     127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT' (res: 0, err:
>     iptables: No chain/target/match by that name.)
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -L INPUT --line-numbers -n
>     run_extcmd(): returning 0, pid_status: 0
>     Warning: Could not use the 'comment' match
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
>     -t filter -j FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 0
>     rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
>     FWKNOP_INPUT' (res: 0, err: )
>     rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT
>     already exists
>     jump_rule_exists_chk_support() jump rule found
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -D INPUT -j FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 0
>     delete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j
>     FWKNOP_INPUT' (res: 0, err: )
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT
>     -t filter -j FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 1
>     rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j
>     FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
>     rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT
>     does not exist
>     jump_rule_exists_chk_support() jump rule not found
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -F FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 0
>     delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT'
>     (res: 0, err: )
>     run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter
>     -X FWKNOP_INPUT
>     run_extcmd(): returning 0, pid_status: 0
>     delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT'
>     (res: 0, err: )
>     
> ----------------------------------------------------------------------------------------
> 
> 
>     And then it exits... Sorry, I don't know what is the problem. Please
>     help with a few hints/ideas/suggestions and I'll try them out. Thanks!
> 
> 
> 
>     
> ------------------------------------------------------------------------------
>     _______________________________________________
>     Fwknop-discuss mailing list
>     Fwknop-discuss@lists.sourceforge.net 
> <mailto:Fwknop-discuss@lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/fwknop-discuss 
> <https://lists.sourceforge.net/lists/listinfo/fwknop-discuss>
> 
> 
> 
> 
> -- 
> Michael Rash | Founder
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
> 
> 
> ------------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
> 


Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to