It may be that the ssh daemon is bound to the internal ip address/device. This would cause the ssh connections to be rejected even though the firewall is not blocking them.
On Mon, Sep 19, 2016, 1:26 PM newsboost <newsbo...@gmail.com> wrote: > On 09/19/2016 03:13 AM, fwknop-discuss-requ...@lists.sourceforge.net > wrote: > > Date: Sun, 18 Sep 2016 21:13:46 -0400 > From: Michael Rash <michael.r...@gmail.com> <michael.r...@gmail.com> > Subject: Re: [Fwknop-discuss] noob - cannot figure out errors (e.g. > "Couldn't load target `FWKNOP_INPUT'") when running "fwknopd -f -v" > To: "fwknop-discuss@lists.sourceforge.net" > <fwknop-discuss@lists.sourceforge.net> > <fwknop-discuss@lists.sourceforge.net> > <fwknop-discuss@lists.sourceforge.net> > Message-ID: > <caa9wn8m+boqhp3fzyx7hyidymq7fy5x9fr_czsm8cbmoexk...@mail.gmail.com> > <caa9wn8m+boqhp3fzyx7hyidymq7fy5x9fr_czsm8cbmoexk...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > On Sun, Sep 18, 2016 at 8:26 PM, newsboost <newsbo...@gmail.com> > <newsbo...@gmail.com> wrote:> > > > # fwknopd --version> fwknopd server 2.6.9, compiled for firewall bin: > > /opt/sbin/iptables> ---------->> And below is the error messages - the > > output, when I try to run fwknopd> on my Asus router:> > > >From the output below, the reason fwknopd is exiting is because it is > looking for the iptables 'comment' match, and it does not appear to be > available. This is somewhat common on routers since Linux distributions > designed to work there tend to reduce the features they compile in. There > > Ok, thanks a lot, Michael! That is a really qualified answer, I had > absolutely no idea what was the problem, although I suspected that the > router's iptables-version was a "downgraded" version of what I imagine is > normally shipped with modern linux-iptables versions... > > is a solution though - just run the command open/close cycle feature in > fwknop-2.6.9. This way, fwknopd keeps track of the timing for rule > expiration itself instead of using the 'comment' match. > > I don't know (nor understand) anything about this, but I'm very happy you > provided the solution: > > To get this working, change your /etc/fwknop/access.conf file to add the > following lines to the stanza that defines your encryption/HMAC keys: > > CMD_CYCLE_OPEN /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d > $PORT -j ACCEPT > > CMD_CYCLE_CLOSE /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT > -j ACCEPT > > CMD_CYCLE_TIMER 30 > Please let me know if there are any issues. > > Thanks, > > --Mike > > > It's incredibly, I feel I'm almost there (but unfortunately not yet)... > Here's what I see or have done or figured out: > > I have this file on my client pc (I anonymized some details a bit): > > > [martin@HPpc ~]$ cat .fwknoprc > [default] > > [80.165.213.40] > ACCESS tcp/22 > SPA_SERVER 80.165.213.40 > KEY_BASE64 gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc= > HMAC_KEY_BASE64 > JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg== > USE_HMAC Y > VERBOSE Y > RESOLVE_IP_HTTPS Y > > > On the router (fwknopd-server), I have this "access.conf" (everything else > is out-commented, thanks a lot for the "CMD_CYCLE"-commands, they really > help!): > > OPEN_PORTS tcp/22 > SOURCE ANY > KEY_BASE64 gi+z3HrZMUKtpIps/BOS08qYuGyzaAbIjZObv8+MIAc= > HMAC_KEY_BASE64 > JEbuMIaJewr5Q+itntH8YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ6pElmSoNSOKMBtroDHRqg== > CMD_CYCLE_OPEN /opt/sbin/iptables -I INPUT 1 -p $PROTO -s $IP -d > $PORT -j ACCEPT > CMD_CYCLE_CLOSE /opt/sbin/iptables -D INPUT -p $PROTO -s $IP -d $PORT > -j ACCEPT > CMD_CYCLE_TIMER 30 > > > And this "fwknopd.conf" (everything else is outcommented): > VERBOSE 3; > PCAP_INTF eth0; > PCAP_FILTER udp dst portrange 10000-65535; > > > I tested by ssh'ing into the router, through the LAN and ran "fwknopd -f > -v" on the router through the LAN, so I could see the messages in the > front. On my client (same pc) as root in one terminal window, I ran an > openvpn-connection to get another external IP address, than the WAN-side of > my router. Then I tried nmap using different combinations, but it didn't > work out. I ran the fwknop-client like this (so it looked into the details > in the ~/.fwknoprc - below I have "80.165.213.40" as my fwknop-server > IP-address or WAN-side of my router and my OpenVPN connection gives me the > external IP address "178.161.214.215" in extra terminal windows, from which > I later try to ssh into the WAN-side of my router, trying to get into the > local network, my own LAN, i.e. 192.168.XXX.XXX/24...): > > [martin@HPpc ~]$ fwknop -v -R --rc-file .fwknoprc -n 80.165.213.40 > [+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.9 > --secure-protocol=auto --quiet -O - > https://www.cipherdyne.org/cgi-bin/myip') as: 80.165.213.40 > SPA Field Values: > ================= > Random Value: 1798384148634396 > Username: martin > Timestamp: 1474307656 > ... > Client Timeout: 0 > Digest Type: 3 (SHA256) > HMAC Type: 3 (SHA256) > Encryption Type: 1 (Rijndael) > Encryption Mode: 2 (CBC) > ... > Generating SPA packet: > protocol: udp > source port: <OS assigned> > destination port: 62201 > IP/host: 80.165.213.40 > send_spa_packet: bytes sent: 225 > > > > On the router (fwknopd-server) this happens (I can see these messages, as > I have a terminal window where I'm logged into the router, through the LAN > and I'm running fwknopd in the foreground - I can see it accepted the SPA > Packet, so far, so good, thanks, Mike!): > [+] candidate SPA packet payload: > .... > (stanza #1) SPA Packet from IP: 178.161.214.215 received with access > source match > SPA Packet: > '9WrlBYh6LyJC3XFgs3l+covfyY8Vrg+iBhbJ1m511UHcF12iyaHR79AxyeV02ejvpUP5ZnIlAss1ftKOSslTAVbzEmNSmc10nbieGtOeHOGyax8OB/Et/NUo36gimDcnglgyCCEZhR+H08WA413QJU1ankHaldjVF5u07NPCI4u8ATspMUCExcvQ0NsRLJ9jEqxsjwVKj9AOyx74r2q6fNIxjlGYCu1/w' > [178.161.214.215] (stanza #1) SPA Decode (res=0): > SPA Field Values: > ... > Message Type: 1 (Access msg) > Message String: 178.161.214.215,tcp/22 > Nat Access: <NULL> > Server Auth: <NULL> > Client Timeout: 0 > Digest Type: 3 (SHA256) > HMAC Type: 3 (SHA256) > Encryption Type: 1 (Rijndael) > Encryption Mode: 2 (CBC) > ... > [178.161.214.215] (stanza #1) Running CMD_CYCLE_OPEN command: > /opt/sbin/iptables -I INPUT 1 -p 6 -s 178.161.214.215 -d 22 -j ACCEPT > run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -I INPUT 1 > -p 6 -s 178.161.214.215 -d 22 -j ACCEPT > run_extcmd(): returning 0, pid_status: 0 > [178.161.214.215] (stanza #1) Running CMD_CYCLE_CLOSE command in 30 > seconds: /opt/sbin/iptables -D INPUT -p 6 -s 178.161.214.215 -d 22 -j ACCEPT > pcap_dispatch() processed: 1 packets > ... > > > But.... Then I try ssh wrt54g@80.165.213.40, and nothing happens... I try > nmap and it says "filtered": > > [martin@HPpc ~]$ nmap -Pn -sV -p 22 80.165.213.40 > > Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-19 20:12 CEST > Nmap scan report for x1-6-14-dd-a9-cb-40-40.cpe.webspeed.dk > (80.165.213.40) > Host is up. > PORT STATE SERVICE VERSION > 22/tcp filtered ssh > > > So I'm not completely sure what I need to do more...? Did I make a mistake > anywhere? I must have made a mistake... I want to ssh into the router from > outside, but maybe I need to ssh into a machine behind the router instead > (e.g. 192.168.1.155 or whatever machine I have behind?)??? > > What's the difference in setup, if I want to ssh into the router compared > to if I want to ssh into a machine behind the router, anyway? A noob > question, yes, but I think I only need a small push in the right direction, > before it works! > > Hoping for a little help, to get into the LAN, from the WAN-side of my > router... Thanks a lot! > > > > Br, > Martin > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss >
------------------------------------------------------------------------------
_______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
