On 09/19/2016 03:13 AM, fwknop-discuss-requ...@lists.sourceforge.net wrote:
Date: Sun, 18 Sep 2016 21:13:46 -0400 From: Michael Rash <michael.r...@gmail.com> Subject: Re: [Fwknop-discuss] noob - cannot figure out errors (e.g. "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v" To: "fwknop-discuss@lists.sourceforge.net" <fwknop-discuss@lists.sourceforge.net> Message-ID: <caa9wn8m+boqhp3fzyx7hyidymq7fy5x9fr_czsm8cbmoexk...@mail.gmail.com> Content-Type: text/plain; charset="utf-8" On Sun, Sep 18, 2016 at 8:26 PM, newsboost <newsbo...@gmail.com> wrote: >
># fwknopd --version
>fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables
>----------
>
>And below is the error messages - the output, when I try to run fwknopd
>on my Asus router:
>
>From the output below, the reason fwknopd is exiting is because it is
looking for the iptables 'comment' match, and it does not appear to be
available. This is somewhat common on routers since Linux distributions
designed to work there tend to reduce the features they compile in. There
Ok, thanks a lot, Michael! That is a really qualified answer, I had absolutely no idea what was the problem, although I suspected that the router's iptables-version was a "downgraded" version of what I imagine is normally shipped with modern linux-iptables versions...
is a solution though - just run the command open/close cycle feature in
fwknop-2.6.9. This way, fwknopd keeps track of the timing for rule
expiration itself instead of using the 'comment' match.
I don't know (nor understand) anything about this, but I'm very happy you provided the solution:
To get this working, change your /etc/fwknop/access.conf file to add the
following lines to the stanza that defines your encryption/HMAC keys:

CMD_CYCLE_OPEN         /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d
$PORT -j ACCEPT

CMD_CYCLE_CLOSE       /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT
-j ACCEPT

CMD_CYCLE_TIMER        30
Please let me know if there are any issues.

Thanks,

--Mike

It's incredibly, I feel I'm almost there (but unfortunately not yet)... Here's what I see or have done or figured out:

I have this file on my client pc (I anonymized some details a bit):


[martin@HPpc ~]$ cat .fwknoprc
[default]

[80.165.213.40]
ACCESS                      tcp/22
SPA_SERVER                  80.165.213.40
KEY_BASE64 gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
HMAC_KEY_BASE64 JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg==
USE_HMAC                    Y
VERBOSE                     Y
RESOLVE_IP_HTTPS            Y


On the router (fwknopd-server), I have this "access.conf" (everything else is out-commented, thanks a lot for the "CMD_CYCLE"-commands, they really help!):

OPEN_PORTS          tcp/22
SOURCE              ANY
KEY_BASE64          gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
HMAC_KEY_BASE64 JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg== CMD_CYCLE_OPEN /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d $PORT -j ACCEPT CMD_CYCLE_CLOSE /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT -j ACCEPT
CMD_CYCLE_TIMER     30


And this "fwknopd.conf" (everything else is outcommented):
VERBOSE                3;
PCAP_INTF              eth0;
PCAP_FILTER            udp dst portrange 10000-65535;


I tested by ssh'ing into the router, through the LAN and ran "fwknopd -f -v" on the router through the LAN, so I could see the messages in the front. On my client (same pc) as root in one terminal window, I ran an openvpn-connection to get another external IP address, than the WAN-side of my router. Then I tried nmap using different combinations, but it didn't work out. I ran the fwknop-client like this (so it looked into the details in the ~/.fwknoprc - below I have "80.165.213.40" as my fwknop-server IP-address or WAN-side of my router and my OpenVPN connection gives me the external IP address "178.161.214.215" in extra terminal windows, from which I later try to ssh into the WAN-side of my router, trying to get into the local network, my own LAN, i.e. 192.168.XXX.XXX/24...):

[martin@HPpc ~]$ fwknop -v -R --rc-file .fwknoprc -n 80.165.213.40
[+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.9 --secure-protocol=auto --quiet -O - https://www.cipherdyne.org/cgi-bin/myip') as: 80.165.213.40
SPA Field Values:
=================
   Random Value: 1798384148634396
       Username: martin
      Timestamp: 1474307656
...
 Client Timeout: 0
    Digest Type: 3 (SHA256)
      HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
...
Generating SPA packet:
            protocol: udp
         source port: <OS assigned>
    destination port: 62201
             IP/host: 80.165.213.40
send_spa_packet: bytes sent: 225



On the router (fwknopd-server) this happens (I can see these messages, as I have a terminal window where I'm logged into the router, through the LAN and I'm running fwknopd in the foreground - I can see it accepted the SPA Packet, so far, so good, thanks, Mike!):
[+] candidate SPA packet payload:
....
(stanza #1) SPA Packet from IP: 178.161.214.215 received with access source match SPA Packet: '9WrlBYh6LyJC3XFgs3l+covfyY8Vrg+iBhbJ1m511UHcF12iyaHR79AxyeV02ejvpUP5ZnIlAss1ftKOSslTAVbzEmNSmc10nbieGtOeHOGyax8OB/Et/NUo36gimDcnglgyCCEZhR+H08WA413QJU1ankHaldjVF5u07NPCI4u8ATspMUCExcvQ0NsRLJ9jEqxsjwVKj9AOyx74r2q6fNIxjlGYCu1/w'
[178.161.214.215] (stanza #1) SPA Decode (res=0):
SPA Field Values:
...
   Message Type: 1 (Access msg)
 Message String: 178.161.214.215,tcp/22
     Nat Access: <NULL>
    Server Auth: <NULL>
 Client Timeout: 0
    Digest Type: 3 (SHA256)
      HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
...
[178.161.214.215] (stanza #1) Running CMD_CYCLE_OPEN command: /opt/sbin/iptables -I INPUT 1 -p 6 -s 178.161.214.215 -d 22 -j ACCEPT run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -I INPUT 1 -p 6 -s 178.161.214.215 -d 22 -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
[178.161.214.215] (stanza #1) Running CMD_CYCLE_CLOSE command in 30 seconds: /opt/sbin/iptables -D INPUT -p 6 -s 178.161.214.215 -d 22 -j ACCEPT
pcap_dispatch() processed: 1 packets
...


But.... Then I try ssh wrt54g@80.165.213.40, and nothing happens... I try nmap and it says "filtered":

[martin@HPpc ~]$ nmap -Pn -sV -p 22 80.165.213.40

Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-19 20:12 CEST
Nmap scan report for x1-6-14-dd-a9-cb-40-40.cpe.webspeed.dk (80.165.213.40)
Host is up.
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh


So I'm not completely sure what I need to do more...? Did I make a mistake anywhere? I must have made a mistake... I want to ssh into the router from outside, but maybe I need to ssh into a machine behind the router instead (e.g. 192.168.1.155 or whatever machine I have behind?)???

What's the difference in setup, if I want to ssh into the router compared to if I want to ssh into a machine behind the router, anyway? A noob question, yes, but I think I only need a small push in the right direction, before it works!

Hoping for a little help, to get into the LAN, from the WAN-side of my router... Thanks a lot!



Br,
Martin

------------------------------------------------------------------------------
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to