Hello all!

Trying to setup fwknop into a iptables firewall (fc13) with external (eth0) and internal (eth1) interfaces. I did all gnupg steps what howto tells to do (http://www.cipherdyne.org/fwknop/docs/gpghowto.html). No problems with that, both firewall and client now has functional public and private keys.

My test setup is like this:


         client 192.168.171.1
         --------------------
                   |
                   |
      ------------------------------
      fw-public eth0 192.168.171.100
                  
        fw-private eth1 10.11.12.1
      ------------------------------
                   |
                   |
           -----------------
           server 10.11.12.5


My access.conf has following settings:
<clip>
SOURCE: ANY;
OPEN_PORTS: tcp/22;
GPG_REMOTE_ID: CLIENTID;
GPG_DECRYPT_ID: FIREWALLID;
GPG_DECRYPT_PW: password;
GPG_HOME_DIR: /root/.gnupg;
FW_ACCESS_TIMEOUT: 60;
ENABLE_FORWARD_ACCESS: Y;
<clip>

I have also in fwknopd.conf line saying that:
<clip>
ENABLE_IPT_FORWARDING  Y;
ENABLE_IPT_SNAT  Y;
SNAT_TRANSLATE_IP 10.11.12.1;
<clip>

I am running fwknopd in firewall with command:
fwknopd -vvv -f -c /etc/fwknop/fwknopd.conf -a /etc/fwknop/access.conf

...and client with command:
fwknop -A tcp/22 --nat-access 10.11.12.5:22 -D 192.168.171.100 -a 192.168.171.1 \
       --gpg-recipient-key FIREWALLID --gpg-signer-key CLIENTID -vvv

...and suprise! I can connect from client to firewall using ssh, and connection is forwarded to server. So everything is working like all docs and forum(s) are saying. BUT my biggest problem is that I do NOT
want to make NAT from firewall to server, I would like to make setup where my client authenticates to firewall and after that fwknopd creates iptables rule so my client can open ssh connection to a REAL server 10.11.12.5, not to a firewall itself!

Like now I have to make ssh command in client:
ssh user@192.168.171.100

But I would like to make setup, where I can command:
ssh user@10.11.12.5

Routing is not the problem...problem is that I'am quite newbie with fwknop and don't have a glue how to make this happen...

Basic idea is that client never opens ssh (or whatever) connection to a firewall's public address directly (after SPA), always to original server OR another public address which is NATted to a original server by firewall.

Any help would be appreciated!

Cheers,

Matti
--
palaste-at-gmail-com