Linux Firewalls - Michael Rash [148]
[root@spaserver ˜]# cat /etc/fwknop/access.conf
SOURCE: ANY;
OPEN_PORTS: tcp/22;
REQUIRE_USERNAME: mbr;
KEY: myencryptkey;
FW_ACCESS_TIMEOUT: 30;
Use the commands below to ❶ start the fwknop server and ❷ verify that it is running. By examining syslog messages, you'll see that fwknopd is ready to accept SPA packets from ❸ one SOURCE block (which is derived from within the access.conf file listed above), and that ❹ an existing disk cache of SPA packet MD5 sums is imported. Finally, make sure that ❺ SSHD is running on the local system.
❶ [root@spaserver ˜]# /etc/init.d/fwknop start
Starting fwknop ... [ ok ]
❷ [root@spaserver ˜]# /etc/init.d/sshd status
* status: started
[root@spaserver ˜]# tail /var/log/messages
Oct 17 23:59:53 spaserver fwknopd: starting fwknopd
Oct 17 23:59:53 spaserver fwknopd: flushing existing Netfilter IPT_AUTO_CHAIN chains
❸ Oct 17 23:59:53 spaserver fwknopd: imported access directives (1 SOURCE definitions)
❹ Oct 17 23:59:53 spaserver fwknopd: imported previous md5 sums from disk cache: /var/
log/fwknop/md5sums
❺ [root@spaserver ˜]# /etc/init.d/sshd status
* status: started
With the fwknop server up and running, you can test to see if SSHD is accessible from the fwknop client system, and then use fwknop to gain access to it. The -A tcp/22 command-line argument at ❶ tells the fwknop server that the client wishes to access TCP port 22; the -R argument at ❷ instructs the fwknop client to automatically resolve the externally routable address from which the SPA packet will originate (this is accomplished by querying http://www.whatismyip.com); and the -k argument at ❸ tells the fwknop client to send the SPA packet to the spaserver host.
[mbr@spaclient ˜]$ nc -v spaserver 22
[mbr@spaclient ˜]$ fwknop ❶-A tcp/22 ❷-R ❸-k spaserver
[+] Starting fwknop in client mode.
[+] Resolving hostname: spaserver
Resolving external IP via: http://www.whatismyip.com/
Got external address: 204.23.X.X
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.
Encryption Key:
[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:
Random data: 2282553423001461
Username: mbr
Timestamp: 1161146338
Version: 1.0
Action: 1 (access mode)
Access: 204.23.X.X,tcp/22
MD5 sum: wvWqr/qKuZdZ+xaqPO1KwA
[+] Sending 150 byte message to 71.157.X.X over udp/62201...
[mbr@spaclient ˜]$ ssh spaserver
Password:
[mbr@spaserver ˜]$
The last line in the listing above shows that you are now logged into the spaserver host, verifying your access to SSHD. Below, the messages written to syslog on the fwknop server tell you ❶ that fwknopd has successfully received and decrypted the SPA packet sent by the fwknop client, and ❷ that an ACCEPT rule has been added to allow TCP port 22 connections for the 204.23.X.X IP address for 30 seconds. The ACCEPT rule is removed in ❸. (Although not displayed here, emails are also sent to the addresses defined by the EMAIL_ADDRESSES variable in fwknop.conf to inform you when fwknop grants and removes access to an SPA client.)
❶ Oct 18 00:38:58 spaserver fwknopd: received valid Rijndael encrypted packet from:
204.23.X.X, remote user: mbr
❷ Oct 18 00:38:58 spaserver fwknopd: adding FWKNOP_INPUT ACCEPT rule for 204.23.X.
X -> tcp/22 (30 seconds)
❸ Oct 18 00:39:29 spaserver knoptm: removed iptables FWKNOP_INPUT ACCEPT rule for
204.23.X.X -> tcp/22, 30 second timeout exceeded
The fwknop server adds and deletes all SPA access rules within the custom chain FWKNOP_INPUT instead of within any of the built-in chains, such as INPUT or FORWARD. This strictly separates rules in an existing iptables policy from the rules it manipulates,