It may be that the ssh daemon is bound to the internal ip address/device.
This would cause the ssh connections to be rejected even though the
firewall is not blocking them.

On Mon, Sep 19, 2016, 1:26 PM newsboost <newsbo...@gmail.com> wrote:

> On 09/19/2016 03:13 AM, fwknop-discuss-requ...@lists.sourceforge.net
> wrote:
>
> Date: Sun, 18 Sep 2016 21:13:46 -0400
> From: Michael Rash <michael.r...@gmail.com> <michael.r...@gmail.com>
> Subject: Re: [Fwknop-discuss] noob - cannot figure out errors (e.g.
>       "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v"
> To: "fwknop-discuss@lists.sourceforge.net" 
> <fwknop-discuss@lists.sourceforge.net>
>       <fwknop-discuss@lists.sourceforge.net> 
> <fwknop-discuss@lists.sourceforge.net>
> Message-ID:
>       <caa9wn8m+boqhp3fzyx7hyidymq7fy5x9fr_czsm8cbmoexk...@mail.gmail.com> 
> <caa9wn8m+boqhp3fzyx7hyidymq7fy5x9fr_czsm8cbmoexk...@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Sun, Sep 18, 2016 at 8:26 PM, newsboost <newsbo...@gmail.com> 
> <newsbo...@gmail.com> wrote:>
>
> > # fwknopd --version> fwknopd server 2.6.9, compiled for firewall bin: 
> > /opt/sbin/iptables> ---------->> And below is the error messages - the 
> > output, when I try to run fwknopd> on my Asus router:>
>
> >From the output below, the reason fwknopd is exiting is because it is
> looking for the iptables 'comment' match, and it does not appear to be
> available. This is somewhat common on routers since Linux distributions
> designed to work there tend to reduce the features they compile in. There
>
> Ok, thanks a lot, Michael! That is a really qualified answer, I had
> absolutely no idea what was the problem, although I suspected that the
> router's iptables-version was a "downgraded" version of what I imagine is
> normally shipped with modern linux-iptables versions...
>
> is a solution though - just run the command open/close cycle feature in
> fwknop-2.6.9. This way, fwknopd keeps track of the timing for rule
> expiration itself instead of using the 'comment' match.
>
> I don't know (nor understand) anything about this, but I'm very happy you
> provided the solution:
>
> To get this working, change your /etc/fwknop/access.conf file to add the
> following lines to the stanza that defines your encryption/HMAC keys:
>
> CMD_CYCLE_OPEN         /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d
> $PORT -j ACCEPT
>
> CMD_CYCLE_CLOSE       /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT
> -j ACCEPT
>
> CMD_CYCLE_TIMER        30
> Please let me know if there are any issues.
>
> Thanks,
>
> --Mike
>
>
> It's incredibly, I feel I'm almost there (but unfortunately not yet)...
> Here's what I see or have done or figured out:
>
> I have this file on my client pc (I anonymized some details a bit):
>
>
> [martin@HPpc ~]$ cat .fwknoprc
> [default]
>
> [80.165.213.40]
> ACCESS                      tcp/22
> SPA_SERVER                  80.165.213.40
> KEY_BASE64                  gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
> HMAC_KEY_BASE64
> JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg==
> USE_HMAC                    Y
> VERBOSE                     Y
> RESOLVE_IP_HTTPS            Y
>
>
> On the router (fwknopd-server), I have this "access.conf" (everything else
> is out-commented, thanks a lot for the "CMD_CYCLE"-commands, they really
> help!):
>
> OPEN_PORTS          tcp/22
> SOURCE              ANY
> KEY_BASE64          gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc=
> HMAC_KEY_BASE64
> JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg==
> CMD_CYCLE_OPEN      /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d
> $PORT -j ACCEPT
> CMD_CYCLE_CLOSE     /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT
> -j ACCEPT
> CMD_CYCLE_TIMER     30
>
>
> And this "fwknopd.conf" (everything else is outcommented):
> VERBOSE                3;
> PCAP_INTF              eth0;
> PCAP_FILTER            udp dst portrange 10000-65535;
>
>
> I tested by ssh'ing into the router, through the LAN and ran "fwknopd  -f
> -v" on the router through the LAN, so I could see the messages in the
> front. On my client (same pc) as root in one terminal window, I ran an
> openvpn-connection to get another external IP address, than the WAN-side of
> my router. Then I tried nmap using different combinations, but it didn't
> work out. I ran the fwknop-client like this (so it looked into the details
> in the ~/.fwknoprc - below I have "80.165.213.40" as my fwknop-server
> IP-address or WAN-side of my router and my OpenVPN connection gives me the
> external IP address "178.161.214.215" in extra terminal windows, from which
> I later try to ssh into the WAN-side of my router, trying to get into the
> local network, my own LAN, i.e. 192.168.XXX.XXX/24...):
>
> [martin@HPpc ~]$ fwknop -v -R --rc-file .fwknoprc -n 80.165.213.40
> [+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.9
> --secure-protocol=auto --quiet -O -
> https://www.cipherdyne.org/cgi-bin/myip') as: 80.165.213.40
> SPA Field Values:
> =================
>    Random Value: 1798384148634396
>        Username: martin
>       Timestamp: 1474307656
> ...
>  Client Timeout: 0
>     Digest Type: 3 (SHA256)
>       HMAC Type: 3 (SHA256)
> Encryption Type: 1 (Rijndael)
> Encryption Mode: 2 (CBC)
> ...
> Generating SPA packet:
>             protocol: udp
>          source port: <OS assigned>
>     destination port: 62201
>              IP/host: 80.165.213.40
> send_spa_packet: bytes sent: 225
>
>
>
> On the router (fwknopd-server) this happens (I can see these messages, as
> I have a terminal window where I'm logged into the router, through the LAN
> and I'm running fwknopd in the foreground - I can see it accepted the SPA
> Packet, so far, so good, thanks, Mike!):
> [+] candidate SPA packet payload:
> ....
> (stanza #1) SPA Packet from IP: 178.161.214.215 received with access
> source match
> SPA Packet:
> '9WrlBYh6LyJC3XFgs3l+covfyY8Vrg+iBhbJ1m511UHcF12iyaHR79AxyeV02ejvpUP5ZnIlAss1ftKOSslTAVbzEmNSmc10nbieGtOeHOGyax8OB/Et/NUo36gimDcnglgyCCEZhR+H08WA413QJU1ankHaldjVF5u07NPCI4u8ATspMUCExcvQ0NsRLJ9jEqxsjwVKj9AOyx74r2q6fNIxjlGYCu1/w'
> [178.161.214.215] (stanza #1) SPA Decode (res=0):
> SPA Field Values:
> ...
>    Message Type: 1 (Access msg)
>  Message String: 178.161.214.215,tcp/22
>      Nat Access: <NULL>
>     Server Auth: <NULL>
>  Client Timeout: 0
>     Digest Type: 3 (SHA256)
>       HMAC Type: 3 (SHA256)
> Encryption Type: 1 (Rijndael)
> Encryption Mode: 2 (CBC)
> ...
> [178.161.214.215] (stanza #1) Running CMD_CYCLE_OPEN command:
> /opt/sbin/iptables -I INPUT 1 -p 6 -s 178.161.214.215 -d 22 -j ACCEPT
> run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -I INPUT 1
> -p 6 -s 178.161.214.215 -d 22 -j ACCEPT
> run_extcmd(): returning 0, pid_status: 0
> [178.161.214.215] (stanza #1) Running CMD_CYCLE_CLOSE command in 30
> seconds: /opt/sbin/iptables -D INPUT -p 6 -s 178.161.214.215 -d 22 -j ACCEPT
> pcap_dispatch() processed: 1 packets
> ...
>
>
> But.... Then I try ssh wrt54g@80.165.213.40, and nothing happens... I try
> nmap and it says "filtered":
>
> [martin@HPpc ~]$ nmap -Pn -sV -p 22 80.165.213.40
>
> Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-19 20:12 CEST
> Nmap scan report for x1-6-14-dd-a9-cb-40-40.cpe.webspeed.dk
> (80.165.213.40)
> Host is up.
> PORT   STATE    SERVICE VERSION
> 22/tcp filtered ssh
>
>
> So I'm not completely sure what I need to do more...? Did I make a mistake
> anywhere? I must have made a mistake... I want to ssh into the router from
> outside, but maybe I need to ssh into a machine behind the router instead
> (e.g. 192.168.1.155 or whatever machine I have behind?)???
>
> What's the difference in setup, if I want to ssh into the router compared
> to if I want to ssh into a machine behind the router, anyway? A noob
> question, yes, but I think I only need a small push in the right direction,
> before it works!
>
> Hoping for a little help, to get into the LAN, from the WAN-side of my
> router... Thanks a lot!
>
>
>
> Br,
> Martin
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
------------------------------------------------------------------------------
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to