Thread: [Fwknop-discuss] --nat-local : use -j REDIRECT instead of -j DNAT ?
Brought to you by:
mbr
From: Karthik G. <ka...@ka...> - 2013-03-12 14:46:36
|
Hi, I have the following setup: spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server I wanted to have fwknopd open up a port on the spa_server and redirect it to the local ssh daemon listening on port 22. nat-local seemed to be what I wanted: fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D 1.1.1.1 -v should open up port 4444 and forward it to port 22. But the DNAT rule to rewrite the destination address uses the server's public IP 1.1.1.1 which is not available on any of the server's interfaces! I also figured out that I could not use --nat-access as the server does not setup a rule in the INPUT chain in this case. I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local is used. I have provided the patch against version 2.0.4 below. This works for me... But, being a fwknop newbie, I would appreciate it if I could get it blessed... ;-)! I also had a couple of questions: 1. How does --nat-rand-port work with --nat-local? 2. What options should I use to ./configure for the default access/config file locations? Thanks, -karthik --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 15:55:59.000000000 -0500 +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 08:14:38.618453300 -0400 @@ -882,19 +882,34 @@ add_jump_rule(opts, IPT_DNAT_ACCESS); zero_cmd_buffers(); - - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, - opts->fw_config->fw_command, - dnat_chain->table, - dnat_chain->to_chain, - fst_proto, - spadat->use_src_ip, - fst_port, - exp_ts, - dnat_chain->target, - nat_ip, - nat_port - ); + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG) + { + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_REDIRECT_RULE_ARGS, + opts->fw_config->fw_command, + dnat_chain->table, + dnat_chain->to_chain, + fst_proto, + spadat->use_src_ip, + fst_port, + exp_ts, + nat_port + ); + } + else + { + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, + opts->fw_config->fw_command, + dnat_chain->table, + dnat_chain->to_chain, + fst_proto, + spadat->use_src_ip, + fst_port, + exp_ts, + dnat_chain->target, + nat_ip, + nat_port + ); + } res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0); --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 15:55:59.000000000 -0500 +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 08:10:36.242318088 -0400 @@ -39,6 +39,7 @@ #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1" +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports %i 2>&1" #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1" #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" |
From: Michael R. <mb...@ci...> - 2013-03-13 03:59:25
|
On Mar 12, 2013, Karthik Ganesan wrote: > Hi, Hello Karthik, > I have the following setup: > > spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server > > I wanted to have fwknopd open up a port on the spa_server and redirect it to the local ssh daemon listening on port 22. > > nat-local seemed to be what I wanted: > > fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D 1.1.1.1 -v > > should open up port 4444 and forward it to port 22. > > But the DNAT rule to rewrite the destination address uses the server's public IP 1.1.1.1 which is not available on any of the server's interfaces! > I also figured out that I could not use --nat-access as the server does not setup a rule in the INPUT chain in this case. If I understand correctly, I think the SNAT config vars (ENABLE_IPT_SNAT and SNAT_TRANSLATE_IP) in the fwknopd.conf file might help with this. But, this functionality is a bit of a kludge, and should really be put into the access.conf file. Your idea of using the REDIRECT target is a good one... > I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local is used. > > I have provided the patch against version 2.0.4 below. > This works for me... Thanks for providing the patch, and I'll look at getting this into fwknop-2.5, but it might go into 2.6 (not sure yet). I've opened issue #47 in github to track this with a milestone of fwknop-2.5 for now: https://github.com/mrash/fwknop/issues/47 > But, being a fwknop newbie, I would appreciate it if I could get it blessed... ;-)! > > I also had a couple of questions: > 1. How does --nat-rand-port work with --nat-local? It looks like I may need to fix this functionality - fwknopd should take the randomly assigned port value that is encrypted within the SPA packet and NAT incoming connections to this port into the local service. So, if the client sets port "39921" to be locally NAT'd to port 22, then fwknopd should build rules accordingly. The test suite doesn't currently test this, and I'll get this fixed. > 2. What options should I use to ./configure for the default access/config file locations? For the ./configure args, I usually use: $ ./configure --prefix=/usr --sysconfdir=/etc Then the access.conf and fwknopd.conf files go in /etc/fwknop/ which is probably the best default location. --Mike > Thanks, > -karthik > > > --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 15:55:59.000000000 -0500 > +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 08:14:38.618453300 -0400 > @@ -882,19 +882,34 @@ > add_jump_rule(opts, IPT_DNAT_ACCESS); > > zero_cmd_buffers(); > - > - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > - opts->fw_config->fw_command, > - dnat_chain->table, > - dnat_chain->to_chain, > - fst_proto, > - spadat->use_src_ip, > - fst_port, > - exp_ts, > - dnat_chain->target, > - nat_ip, > - nat_port > - ); > + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG) > + { > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_REDIRECT_RULE_ARGS, > + opts->fw_config->fw_command, > + dnat_chain->table, > + dnat_chain->to_chain, > + fst_proto, > + spadat->use_src_ip, > + fst_port, > + exp_ts, > + nat_port > + ); > + } > + else > + { > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > + opts->fw_config->fw_command, > + dnat_chain->table, > + dnat_chain->to_chain, > + fst_proto, > + spadat->use_src_ip, > + fst_port, > + exp_ts, > + dnat_chain->target, > + nat_ip, > + nat_port > + ); > + } > > res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0); > > > > --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 15:55:59.000000000 -0500 > +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 08:10:36.242318088 -0400 > @@ -39,6 +39,7 @@ > #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1" > +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports %i 2>&1" > #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" > #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1" > #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to > tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Karthik G. <ka...@ka...> - 2013-03-17 01:37:31
Attachments:
fwknop-2.0.4-client-nat-rand-port.patch
|
Hello Michael, Thank you very much for your reply. I have created a patch for --nat-rand-port... The way I read the man page (and how I want to use it) is for fwknop client to generate a random port number for which it would request access from the server. The client would use --nat-port to request the mapping of this random port to a service on the other side of the firewall. So, for example, fwknop --nat-local --nat-rand-port --nat-port 22 -a 1.1.1.1 -D 2.2.2.2 would generate the following SPA packet: FKO Field Values: ================= ..................... Message Type: 5 Message String: 1.1.1.1,tcp/37126 Nat Access: 2.2.2.2,22 ..................... where the client has generated a random port (37126) and asked for it to be mapped to port 22 on the server, allowing the following access via ssh: ssh -p 37126 2.2.2.2 Thanks, -karthik On Tue, 2013-03-12 at 23:58 -0400, Michael Rash wrote: > On Mar 12, 2013, Karthik Ganesan wrote: > > > Hi, > > Hello Karthik, > > > I have the following setup: > > > > spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server > > > > I wanted to have fwknopd open up a port on the spa_server and redirect it to the local ssh daemon listening on port 22. > > > > nat-local seemed to be what I wanted: > > > > fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D 1.1.1.1 -v > > > > should open up port 4444 and forward it to port 22. > > > > But the DNAT rule to rewrite the destination address uses the server's public IP 1.1.1.1 which is not available on any of the server's interfaces! > > I also figured out that I could not use --nat-access as the server does not setup a rule in the INPUT chain in this case. > > If I understand correctly, I think the SNAT config vars (ENABLE_IPT_SNAT and > SNAT_TRANSLATE_IP) in the fwknopd.conf file might help with this. But, this > functionality is a bit of a kludge, and should really be put into the > access.conf file. Your idea of using the REDIRECT target is a good one... > > > I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local is used. > > > > I have provided the patch against version 2.0.4 below. > > This works for me... > > Thanks for providing the patch, and I'll look at getting this into > fwknop-2.5, but it might go into 2.6 (not sure yet). I've opened issue > #47 in github to track this with a milestone of fwknop-2.5 for now: > > https://github.com/mrash/fwknop/issues/47 > > > But, being a fwknop newbie, I would appreciate it if I could get it blessed... ;-)! > > > > I also had a couple of questions: > > 1. How does --nat-rand-port work with --nat-local? > > It looks like I may need to fix this functionality - fwknopd should take > the randomly assigned port value that is encrypted within the SPA packet > and NAT incoming connections to this port into the local service. So, > if the client sets port "39921" to be locally NAT'd to port 22, then > fwknopd should build rules accordingly. The test suite doesn't > currently test this, and I'll get this fixed. > > > 2. What options should I use to ./configure for the default access/config file locations? > > For the ./configure args, I usually use: > > $ ./configure --prefix=/usr --sysconfdir=/etc > > Then the access.conf and fwknopd.conf files go in /etc/fwknop/ which is > probably the best default location. > > --Mike > > > > Thanks, > > -karthik > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 15:55:59.000000000 -0500 > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 08:14:38.618453300 -0400 > > @@ -882,19 +882,34 @@ > > add_jump_rule(opts, IPT_DNAT_ACCESS); > > > > zero_cmd_buffers(); > > - > > - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > > - opts->fw_config->fw_command, > > - dnat_chain->table, > > - dnat_chain->to_chain, > > - fst_proto, > > - spadat->use_src_ip, > > - fst_port, > > - exp_ts, > > - dnat_chain->target, > > - nat_ip, > > - nat_port > > - ); > > + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG) > > + { > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_REDIRECT_RULE_ARGS, > > + opts->fw_config->fw_command, > > + dnat_chain->table, > > + dnat_chain->to_chain, > > + fst_proto, > > + spadat->use_src_ip, > > + fst_port, > > + exp_ts, > > + nat_port > > + ); > > + } > > + else > > + { > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > > + opts->fw_config->fw_command, > > + dnat_chain->table, > > + dnat_chain->to_chain, > > + fst_proto, > > + spadat->use_src_ip, > > + fst_port, > > + exp_ts, > > + dnat_chain->target, > > + nat_ip, > > + nat_port > > + ); > > + } > > > > res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0); > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 15:55:59.000000000 -0500 > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 08:10:36.242318088 -0400 > > @@ -39,6 +39,7 @@ > > #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1" > > +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports %i 2>&1" > > #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" > > #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1" > > #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" > > > ------------------------------------------------------------------------------ > > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > > endpoint security space. For insight on selecting the right partner to > > tackle endpoint security challenges, access the full report. > > http://p.sf.net/sfu/symantec-dev2dev > > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwk...@li... > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Michael R. <mb...@ci...> - 2013-03-17 02:21:08
|
On Mar 16, 2013, Karthik Ganesan wrote: > Hello Michael, Hello Karthik, > Thank you very much for your reply. > > I have created a patch for --nat-rand-port... > > The way I read the man page (and how I want to use it) is for fwknop > client to generate a random port number for which it would request > access from the server. The client would use --nat-port to request the > mapping of this random port to a service on the other side of the > firewall. > > So, for example, > > fwknop --nat-local --nat-rand-port --nat-port 22 -a 1.1.1.1 -D 2.2.2.2 > > would generate the following SPA packet: > FKO Field Values: > ================= > ..................... > Message Type: 5 > Message String: 1.1.1.1,tcp/37126 > Nat Access: 2.2.2.2,22 > ..................... > > where the client has generated a random port (37126) and asked for it to > be mapped to port 22 on the server, allowing the following access via > ssh: > > ssh -p 37126 2.2.2.2 Thanks for sending over the patch - as it turns out, I spent some time working on this problem earlier today, and I believe I've solved it (along with adding a bunch of new tests to verify this in the test suite). I'm currently merging in another set of patches before I push out the changes to github. In your command line above, it is supported similarly (in my changes to be pushed) with: $ fwknop -A tcp/22 --nat-local --nat-rand-port -a 1.1.1.1 -D 2.2.2.2 The convention I was following is that --nat-rand-port and --nat-port are port numbers that are to be translated into other ports that are requested via either '-A' or '-N <IP:port>' criteria (the later used for accessing systems through the fwknopd system via the FORWARD chain, etc. - i.e. --nat-local is not used in this case). If this is not intuitive though, then maybe I should also merge your idea of using --nat-rand-port and --nat-port simultaneously. Once my changes are pushed can you take a look and let me know what you think? I should be able to merge in your REDIRECT patch soon. --Mike > > Thanks, > -karthik > > > On Tue, 2013-03-12 at 23:58 -0400, Michael Rash wrote: > > On Mar 12, 2013, Karthik Ganesan wrote: > > > > > Hi, > > > > Hello Karthik, > > > > > I have the following setup: > > > > > > spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server > > > > > > I wanted to have fwknopd open up a port on the spa_server and redirect it to the local ssh daemon listening on port 22. > > > > > > nat-local seemed to be what I wanted: > > > > > > fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D 1.1.1.1 -v > > > > > > should open up port 4444 and forward it to port 22. > > > > > > But the DNAT rule to rewrite the destination address uses the server's public IP 1.1.1.1 which is not available on any of the server's interfaces! > > > I also figured out that I could not use --nat-access as the server does not setup a rule in the INPUT chain in this case. > > > > If I understand correctly, I think the SNAT config vars (ENABLE_IPT_SNAT and > > SNAT_TRANSLATE_IP) in the fwknopd.conf file might help with this. But, this > > functionality is a bit of a kludge, and should really be put into the > > access.conf file. Your idea of using the REDIRECT target is a good one... > > > > > I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local is used. > > > > > > I have provided the patch against version 2.0.4 below. > > > This works for me... > > > > Thanks for providing the patch, and I'll look at getting this into > > fwknop-2.5, but it might go into 2.6 (not sure yet). I've opened issue > > #47 in github to track this with a milestone of fwknop-2.5 for now: > > > > https://github.com/mrash/fwknop/issues/47 > > > > > But, being a fwknop newbie, I would appreciate it if I could get it blessed... ;-)! > > > > > > I also had a couple of questions: > > > 1. How does --nat-rand-port work with --nat-local? > > > > It looks like I may need to fix this functionality - fwknopd should take > > the randomly assigned port value that is encrypted within the SPA packet > > and NAT incoming connections to this port into the local service. So, > > if the client sets port "39921" to be locally NAT'd to port 22, then > > fwknopd should build rules accordingly. The test suite doesn't > > currently test this, and I'll get this fixed. > > > > > 2. What options should I use to ./configure for the default access/config file locations? > > > > For the ./configure args, I usually use: > > > > $ ./configure --prefix=/usr --sysconfdir=/etc > > > > Then the access.conf and fwknopd.conf files go in /etc/fwknop/ which is > > probably the best default location. > > > > --Mike > > > > > > > Thanks, > > > -karthik > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 15:55:59.000000000 -0500 > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 08:14:38.618453300 -0400 > > > @@ -882,19 +882,34 @@ > > > add_jump_rule(opts, IPT_DNAT_ACCESS); > > > > > > zero_cmd_buffers(); > > > - > > > - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > > > - opts->fw_config->fw_command, > > > - dnat_chain->table, > > > - dnat_chain->to_chain, > > > - fst_proto, > > > - spadat->use_src_ip, > > > - fst_port, > > > - exp_ts, > > > - dnat_chain->target, > > > - nat_ip, > > > - nat_port > > > - ); > > > + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG) > > > + { > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_REDIRECT_RULE_ARGS, > > > + opts->fw_config->fw_command, > > > + dnat_chain->table, > > > + dnat_chain->to_chain, > > > + fst_proto, > > > + spadat->use_src_ip, > > > + fst_port, > > > + exp_ts, > > > + nat_port > > > + ); > > > + } > > > + else > > > + { > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > > > + opts->fw_config->fw_command, > > > + dnat_chain->table, > > > + dnat_chain->to_chain, > > > + fst_proto, > > > + spadat->use_src_ip, > > > + fst_port, > > > + exp_ts, > > > + dnat_chain->target, > > > + nat_ip, > > > + nat_port > > > + ); > > > + } > > > > > > res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0); > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 15:55:59.000000000 -0500 > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 08:10:36.242318088 -0400 > > > @@ -39,6 +39,7 @@ > > > #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1" > > > +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports %i 2>&1" > > > #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" > > > #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1" > > > #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" > > > > > ------------------------------------------------------------------------------ > > > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > > > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > > > endpoint security space. For insight on selecting the right partner to > > > tackle endpoint security challenges, access the full report. > > > http://p.sf.net/sfu/symantec-dev2dev > > > > > _______________________________________________ > > > Fwknop-discuss mailing list > > > Fwk...@li... > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics > > Download AppDynamics Lite for free today: > > http://p.sf.net/sfu/appdyn_d2d_mar > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwk...@li... > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > --- fwknop-2.0.4/client/fwknop.c 2012-12-09 15:55:59.000000000 -0500 > +++ fwknop-2.0.4-patched/client/fwknop.c 2013-03-15 21:24:44.853864258 -0400 > @@ -172,8 +172,16 @@ > } > else > { > - snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > - options.allow_ip_str, ",", "none/0"); > + if(options.nat_rand_port) > + { > + snprintf(access_buf, MAX_LINE_LEN, "%s%stcp/%d", > + options.allow_ip_str, ",", get_rand_port(ctx)); > + } > + else > + { > + snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > + options.allow_ip_str, ",", "none/0"); > + } > } > } > res = fko_set_spa_message(ctx, access_buf); > @@ -492,9 +500,9 @@ > char nat_access_buf[MAX_LINE_LEN] = ""; > int nat_port = 0; > > - if (options->nat_rand_port) > + /*if (options->nat_rand_port) > nat_port = get_rand_port(ctx); > - else if (options->nat_port) > + else */if (options->nat_port) > nat_port = options->nat_port; > else > nat_port = DEFAULT_NAT_PORT; |
From: Karthik G. <ka...@ka...> - 2013-03-17 05:36:38
|
On Sat, 2013-03-16 at 22:20 -0400, Michael Rash wrote: > On Mar 16, 2013, Karthik Ganesan wrote: > > > Hello Michael, > > Hello Karthik, > > > Thank you very much for your reply. > > > > I have created a patch for --nat-rand-port... > > > > The way I read the man page (and how I want to use it) is for fwknop > > client to generate a random port number for which it would request > > access from the server. The client would use --nat-port to request the > > mapping of this random port to a service on the other side of the > > firewall. > > > > So, for example, > > > > fwknop --nat-local --nat-rand-port --nat-port 22 -a 1.1.1.1 -D 2.2.2.2 > > > > would generate the following SPA packet: > > FKO Field Values: > > ================= > > ..................... > > Message Type: 5 > > Message String: 1.1.1.1,tcp/37126 > > Nat Access: 2.2.2.2,22 > > ..................... > > > > where the client has generated a random port (37126) and asked for it to > > be mapped to port 22 on the server, allowing the following access via > > ssh: > > > > ssh -p 37126 2.2.2.2 > > Thanks for sending over the patch - as it turns out, I spent some time > working on this problem earlier today, and I believe I've solved it > (along with adding a bunch of new tests to verify this in the test suite). > I'm currently merging in another set of patches before I push out the > changes to github. > Awesome! > In your command line above, it is supported similarly (in my changes to be > pushed) with: > > $ fwknop -A tcp/22 --nat-local --nat-rand-port -a 1.1.1.1 -D 2.2.2.2 > > The convention I was following is that --nat-rand-port and --nat-port > are port numbers that are to be translated into other ports that are > requested via either '-A' or '-N <IP:port>' criteria (the later used for > accessing systems through the fwknopd system via the FORWARD chain, > etc. - i.e. --nat-local is not used in this case). If this is not > intuitive though, then maybe I should also merge your idea of using > --nat-rand-port and --nat-port simultaneously. Once my changes are > pushed can you take a look and let me know what you think? > I think I get it... To confirm, when we are NOT requesting nat redirection (i.e. FKO_ACCESS_MSG), the server will interpret the access message field as a port that has to be opened (i.e. INPUT rule will be added for connection to this port) When, we are requesting nat redirection (either nat-local or nat-access/ FKO_NAT_ACCESS_MSG or FKO_LOCAL_NAT_ACCESS_MSG), then the access message field is actually what the port will be rewritten to in the PREROUTE? I would love to help in any way I can. I must admit that I still don't have my mind completely wrapped around the path of a packet through net-filter! But, I can certainly serve as an extra pair of eyes if that is useful. > I should be able to merge in your REDIRECT patch soon. > Thanks -karthik > --Mike > > > > > > Thanks, > > -karthik > > > > > > On Tue, 2013-03-12 at 23:58 -0400, Michael Rash wrote: > > > On Mar 12, 2013, Karthik Ganesan wrote: > > > > > > > Hi, > > > > > > Hello Karthik, > > > > > > > I have the following setup: > > > > > > > > spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server > > > > > > > > I wanted to have fwknopd open up a port on the spa_server and redirect it to the local ssh daemon listening on port 22. > > > > > > > > nat-local seemed to be what I wanted: > > > > > > > > fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D 1.1.1.1 -v > > > > > > > > should open up port 4444 and forward it to port 22. > > > > > > > > But the DNAT rule to rewrite the destination address uses the server's public IP 1.1.1.1 which is not available on any of the server's interfaces! > > > > I also figured out that I could not use --nat-access as the server does not setup a rule in the INPUT chain in this case. > > > > > > If I understand correctly, I think the SNAT config vars (ENABLE_IPT_SNAT and > > > SNAT_TRANSLATE_IP) in the fwknopd.conf file might help with this. But, this > > > functionality is a bit of a kludge, and should really be put into the > > > access.conf file. Your idea of using the REDIRECT target is a good one... > > > > > > > I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local is used. > > > > > > > > I have provided the patch against version 2.0.4 below. > > > > This works for me... > > > > > > Thanks for providing the patch, and I'll look at getting this into > > > fwknop-2.5, but it might go into 2.6 (not sure yet). I've opened issue > > > #47 in github to track this with a milestone of fwknop-2.5 for now: > > > > > > https://github.com/mrash/fwknop/issues/47 > > > > > > > But, being a fwknop newbie, I would appreciate it if I could get it blessed... ;-)! > > > > > > > > I also had a couple of questions: > > > > 1. How does --nat-rand-port work with --nat-local? > > > > > > It looks like I may need to fix this functionality - fwknopd should take > > > the randomly assigned port value that is encrypted within the SPA packet > > > and NAT incoming connections to this port into the local service. So, > > > if the client sets port "39921" to be locally NAT'd to port 22, then > > > fwknopd should build rules accordingly. The test suite doesn't > > > currently test this, and I'll get this fixed. > > > > > > > 2. What options should I use to ./configure for the default access/config file locations? > > > > > > For the ./configure args, I usually use: > > > > > > $ ./configure --prefix=/usr --sysconfdir=/etc > > > > > > Then the access.conf and fwknopd.conf files go in /etc/fwknop/ which is > > > probably the best default location. > > > > > > --Mike > > > > > > > > > > Thanks, > > > > -karthik > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 15:55:59.000000000 -0500 > > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 08:14:38.618453300 -0400 > > > > @@ -882,19 +882,34 @@ > > > > add_jump_rule(opts, IPT_DNAT_ACCESS); > > > > > > > > zero_cmd_buffers(); > > > > - > > > > - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > > > > - opts->fw_config->fw_command, > > > > - dnat_chain->table, > > > > - dnat_chain->to_chain, > > > > - fst_proto, > > > > - spadat->use_src_ip, > > > > - fst_port, > > > > - exp_ts, > > > > - dnat_chain->target, > > > > - nat_ip, > > > > - nat_port > > > > - ); > > > > + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG) > > > > + { > > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_REDIRECT_RULE_ARGS, > > > > + opts->fw_config->fw_command, > > > > + dnat_chain->table, > > > > + dnat_chain->to_chain, > > > > + fst_proto, > > > > + spadat->use_src_ip, > > > > + fst_port, > > > > + exp_ts, > > > > + nat_port > > > > + ); > > > > + } > > > > + else > > > > + { > > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > > > > + opts->fw_config->fw_command, > > > > + dnat_chain->table, > > > > + dnat_chain->to_chain, > > > > + fst_proto, > > > > + spadat->use_src_ip, > > > > + fst_port, > > > > + exp_ts, > > > > + dnat_chain->target, > > > > + nat_ip, > > > > + nat_port > > > > + ); > > > > + } > > > > > > > > res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0); > > > > > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 15:55:59.000000000 -0500 > > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 08:10:36.242318088 -0400 > > > > @@ -39,6 +39,7 @@ > > > > #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > > #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > > #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1" > > > > +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports %i 2>&1" > > > > #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" > > > > #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1" > > > > #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" > > > > > > > ------------------------------------------------------------------------------ > > > > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > > > > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > > > > endpoint security space. For insight on selecting the right partner to > > > > tackle endpoint security challenges, access the full report. > > > > http://p.sf.net/sfu/symantec-dev2dev > > > > > > > _______________________________________________ > > > > Fwknop-discuss mailing list > > > > Fwk...@li... > > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > > > > ------------------------------------------------------------------------------ > > > Everyone hates slow websites. So do we. > > > Make your web apps faster with AppDynamics > > > Download AppDynamics Lite for free today: > > > http://p.sf.net/sfu/appdyn_d2d_mar > > > _______________________________________________ > > > Fwknop-discuss mailing list > > > Fwk...@li... > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > --- fwknop-2.0.4/client/fwknop.c 2012-12-09 15:55:59.000000000 -0500 > > +++ fwknop-2.0.4-patched/client/fwknop.c 2013-03-15 21:24:44.853864258 -0400 > > @@ -172,8 +172,16 @@ > > } > > else > > { > > - snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > > - options.allow_ip_str, ",", "none/0"); > > + if(options.nat_rand_port) > > + { > > + snprintf(access_buf, MAX_LINE_LEN, "%s%stcp/%d", > > + options.allow_ip_str, ",", get_rand_port(ctx)); > > + } > > + else > > + { > > + snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > > + options.allow_ip_str, ",", "none/0"); > > + } > > } > > } > > res = fko_set_spa_message(ctx, access_buf); > > @@ -492,9 +500,9 @@ > > char nat_access_buf[MAX_LINE_LEN] = ""; > > int nat_port = 0; > > > > - if (options->nat_rand_port) > > + /*if (options->nat_rand_port) > > nat_port = get_rand_port(ctx); > > - else if (options->nat_port) > > + else */if (options->nat_port) > > nat_port = options->nat_port; > > else > > nat_port = DEFAULT_NAT_PORT; > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |
From: Michael R. <mb...@ci...> - 2013-03-18 02:21:54
|
On Mar 17, 2013, Karthik Ganesan wrote: > On Sat, 2013-03-16 at 22:20 -0400, Michael Rash wrote: > > On Mar 16, 2013, Karthik Ganesan wrote: > > > > > Hello Michael, > > > > Hello Karthik, > > > > > Thank you very much for your reply. > > > > > > I have created a patch for --nat-rand-port... > > > > > > The way I read the man page (and how I want to use it) is for fwknop > > > client to generate a random port number for which it would request > > > access from the server. The client would use --nat-port to request the > > > mapping of this random port to a service on the other side of the > > > firewall. > > > > > > So, for example, > > > > > > fwknop --nat-local --nat-rand-port --nat-port 22 -a 1.1.1.1 -D 2.2.2.2 > > > > > > would generate the following SPA packet: > > > FKO Field Values: > > > ================= > > > ..................... > > > Message Type: 5 > > > Message String: 1.1.1.1,tcp/37126 > > > Nat Access: 2.2.2.2,22 > > > ..................... > > > > > > where the client has generated a random port (37126) and asked for it to > > > be mapped to port 22 on the server, allowing the following access via > > > ssh: > > > > > > ssh -p 37126 2.2.2.2 > > > > Thanks for sending over the patch - as it turns out, I spent some time > > working on this problem earlier today, and I believe I've solved it > > (along with adding a bunch of new tests to verify this in the test suite). > > I'm currently merging in another set of patches before I push out the > > changes to github. > > > > Awesome! The changes to fix --nat-rand-port and --nat-port have been pushed to the hmac_support branch (where all recent work is going in support of the upcoming release to add authenticated encryption for SPA communications): https://github.com/mrash/fwknop/commit/4bdb71315a049e072f95e3426fe9c149ca763586 > > In your command line above, it is supported similarly (in my changes to be > > pushed) with: > > > > $ fwknop -A tcp/22 --nat-local --nat-rand-port -a 1.1.1.1 -D 2.2.2.2 > > > > The convention I was following is that --nat-rand-port and --nat-port > > are port numbers that are to be translated into other ports that are > > requested via either '-A' or '-N <IP:port>' criteria (the later used for > > accessing systems through the fwknopd system via the FORWARD chain, > > etc. - i.e. --nat-local is not used in this case). If this is not > > intuitive though, then maybe I should also merge your idea of using > > --nat-rand-port and --nat-port simultaneously. Once my changes are > > pushed can you take a look and let me know what you think? > > > > I think I get it... > To confirm, when we are NOT requesting nat redirection (i.e. > FKO_ACCESS_MSG), the server will interpret the access message field as a > port that has to be opened (i.e. INPUT rule will be added for connection > to this port) Correct. > When, we are requesting nat redirection (either nat-local or nat-access/ > FKO_NAT_ACCESS_MSG or FKO_LOCAL_NAT_ACCESS_MSG), then the access message > field is actually what the port will be rewritten to in the PREROUTE? Yes, that's right behind the scenes, but the user just knows that whatever service is being requests access to via -A is what they will be able to access. It just happens that adding NAT criteria allows access to this service via something else. Here is an illustration of what the fwknopd generates for --nat-rand-port access to sshd: FWKNOP_FORWARD chain: 1 ACCEPT tcp -- 127.0.0.2 192.168.1.2 tcp dpt:22 /* _exp_1363569786 */ FWKNOP_PREROUTING chain: 1 DNAT tcp -- 127.0.0.2 0.0.0.0/0 tcp dpt:45247 /* _exp_1363569786 */ to:192.168.1.2:22 So the user would be able to access sshd on 192.168.1.2 via port 45247 on whatever IP is running fwknopd. (These are rules created via the test suite.) There is also new output generate by the client to let the user know what the randomly assigned NAT port is - without this output the user has no way to know where to make the connection after the SPA packet is sent. This is generated regardless of whether --verbose mode is also used, and here is an example: $ fwknop -A tcp/22 --nat-local --nat-rand-port -a 1.1.1.1 -D 127.0.0.1 [+] Randomly assigned port '49220' on: '1.1.1.1,tcp/49220' will grant access to: '127.0.0.1,22' Enter encryption key: > I would love to help in any way I can. I must admit that I still don't > have my mind completely wrapped around the path of a packet through > net-filter! But, I can certainly serve as an extra pair of eyes if that > is useful. Addition eyes looking at the code is always great - I would recommend cloning the fwknop repository if you haven't already done this and checking out the hmac_support branch. Current issues are listed here, and more may be added prior to the next release: https://github.com/mrash/fwknop/issues?milestone=4&state=open Thanks, --Mike > > I should be able to merge in your REDIRECT patch soon. > > > > Thanks > -karthik > > > --Mike > > > > > > > > > > Thanks, > > > -karthik > > > > > > > > > On Tue, 2013-03-12 at 23:58 -0400, Michael Rash wrote: > > > > On Mar 12, 2013, Karthik Ganesan wrote: > > > > > > > > > Hi, > > > > > > > > Hello Karthik, > > > > > > > > > I have the following setup: > > > > > > > > > > spa_client [2.2.2.2] ------ Internet ----- [1.1.1.1] Router (configured with spa_server as DMZ) [192.168.1.1] ------- [192.168.1.2] spa_server > > > > > > > > > > I wanted to have fwknopd open up a port on the spa_server and redirect it to the local ssh daemon listening on port 22. > > > > > > > > > > nat-local seemed to be what I wanted: > > > > > > > > > > fwknop -A tcp/4444 -a 2.2.2.2 --nat-local --nat-port 22 -D 1.1.1.1 -v > > > > > > > > > > should open up port 4444 and forward it to port 22. > > > > > > > > > > But the DNAT rule to rewrite the destination address uses the server's public IP 1.1.1.1 which is not available on any of the server's interfaces! > > > > > I also figured out that I could not use --nat-access as the server does not setup a rule in the INPUT chain in this case. > > > > > > > > If I understand correctly, I think the SNAT config vars (ENABLE_IPT_SNAT and > > > > SNAT_TRANSLATE_IP) in the fwknopd.conf file might help with this. But, this > > > > functionality is a bit of a kludge, and should really be put into the > > > > access.conf file. Your idea of using the REDIRECT target is a good one... > > > > > > > > > I patched the code to use -j REDIRECT instead of -j DNAT when --nat-local is used. > > > > > > > > > > I have provided the patch against version 2.0.4 below. > > > > > This works for me... > > > > > > > > Thanks for providing the patch, and I'll look at getting this into > > > > fwknop-2.5, but it might go into 2.6 (not sure yet). I've opened issue > > > > #47 in github to track this with a milestone of fwknop-2.5 for now: > > > > > > > > https://github.com/mrash/fwknop/issues/47 > > > > > > > > > But, being a fwknop newbie, I would appreciate it if I could get it blessed... ;-)! > > > > > > > > > > I also had a couple of questions: > > > > > 1. How does --nat-rand-port work with --nat-local? > > > > > > > > It looks like I may need to fix this functionality - fwknopd should take > > > > the randomly assigned port value that is encrypted within the SPA packet > > > > and NAT incoming connections to this port into the local service. So, > > > > if the client sets port "39921" to be locally NAT'd to port 22, then > > > > fwknopd should build rules accordingly. The test suite doesn't > > > > currently test this, and I'll get this fixed. > > > > > > > > > 2. What options should I use to ./configure for the default access/config file locations? > > > > > > > > For the ./configure args, I usually use: > > > > > > > > $ ./configure --prefix=/usr --sysconfdir=/etc > > > > > > > > Then the access.conf and fwknopd.conf files go in /etc/fwknop/ which is > > > > probably the best default location. > > > > > > > > --Mike > > > > > > > > > > > > > Thanks, > > > > > -karthik > > > > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.c 2012-12-09 15:55:59.000000000 -0500 > > > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.c 2013-03-12 08:14:38.618453300 -0400 > > > > > @@ -882,19 +882,34 @@ > > > > > add_jump_rule(opts, IPT_DNAT_ACCESS); > > > > > > > > > > zero_cmd_buffers(); > > > > > - > > > > > - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > > > > > - opts->fw_config->fw_command, > > > > > - dnat_chain->table, > > > > > - dnat_chain->to_chain, > > > > > - fst_proto, > > > > > - spadat->use_src_ip, > > > > > - fst_port, > > > > > - exp_ts, > > > > > - dnat_chain->target, > > > > > - nat_ip, > > > > > - nat_port > > > > > - ); > > > > > + if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG) > > > > > + { > > > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_REDIRECT_RULE_ARGS, > > > > > + opts->fw_config->fw_command, > > > > > + dnat_chain->table, > > > > > + dnat_chain->to_chain, > > > > > + fst_proto, > > > > > + spadat->use_src_ip, > > > > > + fst_port, > > > > > + exp_ts, > > > > > + nat_port > > > > > + ); > > > > > + } > > > > > + else > > > > > + { > > > > > + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS, > > > > > + opts->fw_config->fw_command, > > > > > + dnat_chain->table, > > > > > + dnat_chain->to_chain, > > > > > + fst_proto, > > > > > + spadat->use_src_ip, > > > > > + fst_port, > > > > > + exp_ts, > > > > > + dnat_chain->target, > > > > > + nat_ip, > > > > > + nat_port > > > > > + ); > > > > > + } > > > > > > > > > > res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0); > > > > > > > > > > > > > > > > > > > > --- fwknop-2.0.4/server/fw_util_iptables.h 2012-12-09 15:55:59.000000000 -0500 > > > > > +++ fwknop-2.0.4-patched/server/fw_util_iptables.h 2013-03-12 08:10:36.242318088 -0400 > > > > > @@ -39,6 +39,7 @@ > > > > > #define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > > > #define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" > > > > > #define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1" > > > > > +#define IPT_ADD_REDIRECT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j REDIRECT --to-ports %i 2>&1" > > > > > #define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" > > > > > #define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1" > > > > > #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" > > > > > > > > > ------------------------------------------------------------------------------ > > > > > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > > > > > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > > > > > endpoint security space. For insight on selecting the right partner to > > > > > tackle endpoint security challenges, access the full report. > > > > > http://p.sf.net/sfu/symantec-dev2dev > > > > > > > > > _______________________________________________ > > > > > Fwknop-discuss mailing list > > > > > Fwk...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Everyone hates slow websites. So do we. > > > > Make your web apps faster with AppDynamics > > > > Download AppDynamics Lite for free today: > > > > http://p.sf.net/sfu/appdyn_d2d_mar > > > > _______________________________________________ > > > > Fwknop-discuss mailing list > > > > Fwk...@li... > > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > > > --- fwknop-2.0.4/client/fwknop.c 2012-12-09 15:55:59.000000000 -0500 > > > +++ fwknop-2.0.4-patched/client/fwknop.c 2013-03-15 21:24:44.853864258 -0400 > > > @@ -172,8 +172,16 @@ > > > } > > > else > > > { > > > - snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > > > - options.allow_ip_str, ",", "none/0"); > > > + if(options.nat_rand_port) > > > + { > > > + snprintf(access_buf, MAX_LINE_LEN, "%s%stcp/%d", > > > + options.allow_ip_str, ",", get_rand_port(ctx)); > > > + } > > > + else > > > + { > > > + snprintf(access_buf, MAX_LINE_LEN, "%s%s%s", > > > + options.allow_ip_str, ",", "none/0"); > > > + } > > > } > > > } > > > res = fko_set_spa_message(ctx, access_buf); > > > @@ -492,9 +500,9 @@ > > > char nat_access_buf[MAX_LINE_LEN] = ""; > > > int nat_port = 0; > > > > > > - if (options->nat_rand_port) > > > + /*if (options->nat_rand_port) > > > nat_port = get_rand_port(ctx); > > > - else if (options->nat_port) > > > + else */if (options->nat_port) > > > nat_port = options->nat_port; > > > else > > > nat_port = DEFAULT_NAT_PORT; > > > > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics > > Download AppDynamics Lite for free today: > > http://p.sf.net/sfu/appdyn_d2d_mar > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwk...@li... > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |