Hi,

I have the following setup:

spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server

I wanted to have fwknopd open up a port on the spa_server and redirect it to the local ssh daemon listening on port 22.

nat-local seemed to be what I wanted:

           fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D 1.1.1.1 -v

should open up port 4444 and forward it to port 22.

But the DNAT rule to rewrite the destination address uses the server's public IP 1.1.1.1 which is not available on any of the server's interfaces!
I also figured out that I could not use --nat-access as the server does not setup a rule in the INPUT chain in this case.

I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local is used.

I have provided the patch against version 2.0.4 below.
This works for me...

But, being a fwknop newbie, I would appreciate it if I could get it blessed... ;-)!

I also had a couple of questions:
  1. How does --nat-rand-port work with --nat-local?
  2. What options should I use to ./configure for the default access/config file locations?

Thanks,
-karthik


--- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 15:55:59.000000000 -0500
+++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 08:14:38.618453300 -0400
@@ -882,19 +882,34 @@
                add_jump_rule(opts, IPT_DNAT_ACCESS);

            zero_cmd_buffers();
-
-            snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS,
-                opts->fw_config->fw_command,
-                dnat_chain->table,
-                dnat_chain->to_chain,
-                fst_proto,
-                spadat->use_src_ip,
-                fst_port,
-                exp_ts,
-                dnat_chain->target,
-                nat_ip,
-                nat_port
-            );
+            if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG)
+            {
+                snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_REDIRECT_RULE_ARGS,
+                    opts->fw_config->fw_command,
+                    dnat_chain->table,
+                    dnat_chain->to_chain,
+                    fst_proto,
+                    spadat->use_src_ip,
+                    fst_port,
+                    exp_ts,
+                    nat_port
+                );
+             }
+            else
+            {
+                snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS,
+                    opts->fw_config->fw_command,
+                    dnat_chain->table,
+                    dnat_chain->to_chain,
+                    fst_proto,
+                    spadat->use_src_ip,
+                    fst_port,
+                    exp_ts,
+                    dnat_chain->target,
+                    nat_ip,
+                    nat_port
+                );
+            }

            res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);



--- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 15:55:59.000000000 -0500
+++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 08:10:36.242318088 -0400
@@ -39,6 +39,7 @@
#define IPT_ADD_OUT_RULE_ARGS   "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_FWD_RULE_ARGS   "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_DNAT_RULE_ARGS  "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
+#define IPT_ADD_REDIRECT_RULE_ARGS  "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports %i 2>&1"
#define IPT_ADD_SNAT_RULE_ARGS  "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
#define IPT_TMP_COMMENT_ARGS    "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1"
#define IPT_DEL_RULE_ARGS       "-t %s -D %s %i 2>&1"