I was about to suggest the "comment" feature as the problem. Michael's solution should be the correct one. I'm curious, though, what firmware distro you're using, like Openwrt/Lede, Tomato, etc?
--Jonathan Bennett On 09/18/2016 08:13 PM, Michael Rash wrote: > > > On Sun, Sep 18, 2016 at 8:26 PM, newsboost <newsbo...@gmail.com > <mailto:newsbo...@gmail.com>> wrote: > > Dear all, > > I'm a fwknop-newbie, I've been struggling with getting fwknopd to work > on my asus router, as I think it should be pretty secure, compared to > alternatives (knockd or just ssh wide open, for everyone to see this > from the internet or WAN)... I'm not really sure what I make wrong, as I > don't understand the error messages or what fwknopd is trying to tell > me... Here's version details: > > ---------- > > # fwknopd --version > fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables > ---------- > > And below is the error messages - the output, when I try to run fwknopd > on my Asus router: > > > > From the output below, the reason fwknopd is exiting is because it is looking > for the iptables 'comment' match, and it does not appear to be available. > This is somewhat common on routers since Linux distributions designed to work > there tend to reduce the features they compile in. There is a solution > though - just run the command open/close cycle feature in fwknop-2.6.9. This > way, fwknopd keeps track of the timing for rule expiration itself instead of > using the 'comment' match. > > To get this working, change your /etc/fwknop/access.conf file to add the > following lines to the stanza that defines your encryption/HMAC keys: > > CMD_CYCLE_OPEN /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d > $PORT -j ACCEPT > > CMD_CYCLE_CLOSE /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT > -j ACCEPT > > CMD_CYCLE_TIMER 30 > > Please let me know if there are any issues. > > Thanks, > > --Mike > > > > > > ---------------------------------------------------------------------------------------- > > wrt54g@router:/tmp# fwknopd -f -v > Opened access file: /opt/etc/fwknop/access.conf > Initialize access stanzas > ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: OPEN_PORTS: tcp/22 > Var: OPEN_PORTS, Val: 'tcp/22' > ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: REQUIRE_SOURCE_ADDRESS: N > Var: REQUIRE_SOURCE_ADDRESS, Val: 'N' > ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: SOURCE ANY > Var: SOURCE, Val: 'ANY' > ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: KEY_BASE64 > gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc= > Var: KEY_BASE64, Val: 'gi+z3HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc=' > ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: HMAC_KEY_BASE64 > > JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg== > Var: HMAC_KEY_BASE64, Val: > > 'JEbuMIaJewr+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pSoElmNSOKM5QBtroDHRqg==' > Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: > 'ANY' > [+] Writing my PID (2466) to the lock file: /opt/var/fwknop/fwknopd.pid > Starting fwknopd > Current fwknopd config settings: > 0. CONFIG_FILE = '/opt/etc/fwknop/fwknopd.conf' > 1. OVERRIDE_CONFIG = '<not set>' > 2. PCAP_INTF = 'eth0' > ........ > ........ > ........ > GPG_IGNORE_SIG_VERIFY_ERROR: No > GPG_REMOTE_ID: <not set> > GPG_FINGERPRINT_ID: <not set> > > > Using Digest Cache: '/opt/var/fwknop/digest.cache' (entry count = 0) > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT > run_extcmd(): returning 0, pid_status: 0 > ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s > 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: ) > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -C INPUT -s 127.0.0.2 -p udp -j ACCEPT > run_extcmd(): returning 0, pid_status: 0 > ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s > 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: ) > ipt_chk_support() -C supported > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -D INPUT 1 > run_extcmd(): returning 0, pid_status: 0 > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT > -t filter -j FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 2 > rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j > FWKNOP_INPUT' (res: 0, err: iptables v1.4.21: Couldn't load target > `FWKNOP_INPUT':No such file or directory > > Try `iptables -h' or 'iptables --help' for more information.) > rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT > does not exist > jump_rule_exists_chk_support() jump rule not found > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -F FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 0 > delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT' > (res: 0, err: iptables: No chain/target/match by that name.) > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -X FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 1 > delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT' > (res: 0, err: iptables: No chain/target/match by that name.) > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -L FWKNOP_INPUT -n > run_extcmd(): returning 0, pid_status: 1 > chain_exists() CMD: '/opt/sbin/iptables -t filter -L FWKNOP_INPUT -n' > (res: 0, err: iptables: No chain/target/match by that name.) > 'filter' table 'FWKNOP_INPUT' chain exists > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -N FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 0 > create_chain() CMD: '/opt/sbin/iptables -t filter -N FWKNOP_INPUT' (res: > 0, err: ) > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT > -t filter -j FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 1 > rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j > FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.) > rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT > does not exist > jump_rule_exists_chk_support() jump rule not found > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -I INPUT 1 -j FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 0 > add_jump_rule() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -j > FWKNOP_INPUT' (res: 0, err: ) > Added jump rule from chain: INPUT to chain: FWKNOP_INPUT > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -I INPUT 1 -s 127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT > run_extcmd(): returning 0, pid_status: 0 > comment_match_exists() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s > 127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT' (res: 0, err: > iptables: No chain/target/match by that name.) > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -L INPUT --line-numbers -n > run_extcmd(): returning 0, pid_status: 0 > Warning: Could not use the 'comment' match > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT > -t filter -j FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 0 > rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j > FWKNOP_INPUT' (res: 0, err: ) > rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT > already exists > jump_rule_exists_chk_support() jump rule found > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -D INPUT -j FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 0 > delete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j > FWKNOP_INPUT' (res: 0, err: ) > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT > -t filter -j FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 1 > rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j > FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.) > rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT > does not exist > jump_rule_exists_chk_support() jump rule not found > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -F FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 0 > delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT' > (res: 0, err: ) > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter > -X FWKNOP_INPUT > run_extcmd(): returning 0, pid_status: 0 > delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT' > (res: 0, err: ) > > ---------------------------------------------------------------------------------------- > > > And then it exits... Sorry, I don't know what is the problem. Please > help with a few hints/ideas/suggestions and I'll try them out. Thanks! > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > <mailto:Fwknop-discuss@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > <https://lists.sourceforge.net/lists/listinfo/fwknop-discuss> > > > > > -- > Michael Rash | Founder > http://www.cipherdyne.org/ > Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss >
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
