Re: [Fwknop-discuss] noob - cannot figure out errors (e.g., "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"

[newsboost]

On 09/19/2016 03:13 AM, fwknop-discuss-requ...@lists.sourceforge.net wrote:
Date: Sun, 18 Sep 2016 21:13:46 -0400 From: Michael Rash 
<michael.r...@gmail.com> Subject: Re: [Fwknop-discuss] noob - cannot 
figure out errors (e.g. "Couldn't load target `FWKNOP_INPUT'") when 
running "fwknopd -f -v" To: "fwknop-discuss@lists.sourceforge.net" 
<fwknop-discuss@lists.sourceforge.net> Message-ID: 
<caa9wn8m+boqhp3fzyx7hyidymq7fy5x9fr_czsm8cbmoexk...@mail.gmail.com> 
Content-Type: text/plain; charset="utf-8" On Sun, Sep 18, 2016 at 8:26 
PM, newsboost <newsbo...@gmail.com> wrote: >
># fwknopd --version
>fwknopd server 2.6.9, compiled for firewall bin: /opt/sbin/iptables
>----------
>
>And below is the error messages - the output, when I try to run fwknopd
>on my Asus router:
>
>From the output below, the reason fwknopd is exiting is because it is
looking for the iptables 'comment' match, and it does not appear to be
available. This is somewhat common on routers since Linux distributions
designed to work there tend to reduce the features they compile in. There
Ok, thanks a lot, Michael! That is a really qualified answer, I had 
absolutely no idea what was the problem, although I suspected that the 
router's iptables-version was a "downgraded" version of what I imagine 
is normally shipped with modern linux-iptables versions...
is a solution though - just run the command open/close cycle feature in
fwknop-2.6.9. This way, fwknopd keeps track of the timing for rule
expiration itself instead of using the 'comment' match.
I don't know (nor understand) anything about this, but I'm very happy 
you provided the solution:
To get this working, change your /etc/fwknop/access.conf file to add the
following lines to the stanza that defines your encryption/HMAC keys:
CMD_CYCLE_OPEN         /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d
$PORT -j ACCEPT

CMD_CYCLE_CLOSE       /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT
-j ACCEPT

CMD_CYCLE_TIMER        30
Please let me know if there are any issues.

Thanks,

--Mike

It's incredibly, I feel I'm almost there (but unfortunately not yet)... 
Here's what I see or have done or figured out:

I have this file on my client pc (I anonymized some details a bit):


[martin@HPpc ~]$ cat .fwknoprc
[default]

[80.165.213.40]
ACCESS                      tcp/22
SPA_SERVER                  80.165.213.40
KEY_BASE64 gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
HMAC_KEY_BASE64 
JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg==
USE_HMAC                    Y
VERBOSE                     Y
RESOLVE_IP_HTTPS            Y


On the router (fwknopd-server), I have this "access.conf" (everything 
else is out-commented, thanks a lot for the "CMD_CYCLE"-commands, they 
really help!):

OPEN_PORTS          tcp/22
SOURCE              ANY
KEY_BASE64          gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
HMAC_KEY_BASE64 
JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg==
CMD_CYCLE_OPEN      /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d 
$PORT -j ACCEPT
CMD_CYCLE_CLOSE     /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d 
$PORT -j ACCEPT
CMD_CYCLE_TIMER     30


And this "fwknopd.conf" (everything else is outcommented):
VERBOSE                3;
PCAP_INTF              eth0;
PCAP_FILTER            udp dst portrange 10000-65535;


I tested by ssh'ing into the router, through the LAN and ran "fwknopd  
-f -v" on the router through the LAN, so I could see the messages in the 
front. On my client (same pc) as root in one terminal window, I ran an 
openvpn-connection to get another external IP address, than the WAN-side 
of my router. Then I tried nmap using different combinations, but it 
didn't work out. I ran the fwknop-client like this (so it looked into 
the details in the ~/.fwknoprc - below I have "80.165.213.40" as my 
fwknop-server IP-address or WAN-side of my router and my OpenVPN 
connection gives me the external IP address "178.161.214.215" in extra 
terminal windows, from which I later try to ssh into the WAN-side of my 
router, trying to get into the local network, my own LAN, i.e. 
192.168.XXX.XXX/24...):

[martin@HPpc ~]$ fwknop -v -R --rc-file .fwknoprc -n 80.165.213.40
[+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.9 
--secure-protocol=auto --quiet -O - 
https://www.cipherdyne.org/cgi-bin/myip') as: 80.165.213.40
SPA Field Values:
=================
   Random Value: 1798384148634396
       Username: martin
      Timestamp: 1474307656
...
 Client Timeout: 0
    Digest Type: 3 (SHA256)
      HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
...
Generating SPA packet:
            protocol: udp
         source port: <OS assigned>
    destination port: 62201
             IP/host: 80.165.213.40
send_spa_packet: bytes sent: 225



On the router (fwknopd-server) this happens (I can see these messages, 
as I have a terminal window where I'm logged into the router, through 
the LAN and I'm running fwknopd in the foreground - I can see it 
accepted the SPA Packet, so far, so good, thanks, Mike!):
[+] candidate SPA packet payload:
....
(stanza #1) SPA Packet from IP: 178.161.214.215 received with access 
source match
SPA Packet: 
'9WrlBYh6LyJC3XFgs3l+covfyY8Vrg+iBhbJ1m511UHcF12iyaHR79AxyeV02ejvpUP5ZnIlAss1ftKOSslTAVbzEmNSmc10nbieGtOeHOGyax8OB/Et/NUo36gimDcnglgyCCEZhR+H08WA413QJU1ankHaldjVF5u07NPCI4u8ATspMUCExcvQ0NsRLJ9jEqxsjwVKj9AOyx74r2q6fNIxjlGYCu1/w'
[178.161.214.215] (stanza #1) SPA Decode (res=0):
SPA Field Values:
...
   Message Type: 1 (Access msg)
 Message String: 178.161.214.215,tcp/22
     Nat Access: <NULL>
    Server Auth: <NULL>
 Client Timeout: 0
    Digest Type: 3 (SHA256)
      HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
...
[178.161.214.215] (stanza #1) Running CMD_CYCLE_OPEN command: 
/opt/sbin/iptables -I INPUT 1 -p 6 -s 178.161.214.215 -d 22 -j ACCEPT
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -I INPUT 
1 -p 6 -s 178.161.214.215 -d 22 -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
[178.161.214.215] (stanza #1) Running CMD_CYCLE_CLOSE command in 30 
seconds: /opt/sbin/iptables -D INPUT -p 6 -s 178.161.214.215 -d 22 -j ACCEPT
pcap_dispatch() processed: 1 packets
...


But.... Then I try ssh wrt54g@80.165.213.40, and nothing happens... I 
try nmap and it says "filtered":

[martin@HPpc ~]$ nmap -Pn -sV -p 22 80.165.213.40

Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-19 20:12 CEST
Nmap scan report for x1-6-14-dd-a9-cb-40-40.cpe.webspeed.dk (80.165.213.40)
Host is up.
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh


So I'm not completely sure what I need to do more...? Did I make a 
mistake anywhere? I must have made a mistake... I want to ssh into the 
router from outside, but maybe I need to ssh into a machine behind the 
router instead (e.g. 192.168.1.155 or whatever machine I have behind?)???

What's the difference in setup, if I want to ssh into the router 
compared to if I want to ssh into a machine behind the router, anyway? A 
noob question, yes, but I think I only need a small push in the right 
direction, before it works!

Hoping for a little help, to get into the LAN, from the WAN-side of my 
router... Thanks a lot!



Br,
Martin

------------------------------------------------------------------------------
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss