Re: [Fwknop-discuss] Newbie problem with fwknopd & NAT
Brought to you by:
mbr
From: Michael R. <mb...@ci...> - 2010-08-05 04:17:05
|
On Aug 03, 2010, hutmat wrote: > Hello all! Hello, > Trying to setup fwknop into a iptables firewall (fc13) with external (eth0) > and internal (eth1) interfaces. I did all gnupg steps what howto tells to do > (http://www.cipherdyne.org/fwknop/docs/gpghowto.html). No problems with > that, both firewall and client now has functional public and private keys. > > My test setup is like this: > > > client 192.168.171.1 > -------------------- > | > | > ------------------------------ > fw-public eth0 192.168.171.100 > > fw-private eth1 10.11.12.1 > ------------------------------ > | > | > ----------------- > server 10.11.12.5 > > > My access.conf has following settings: > <clip> > SOURCE: ANY; > OPEN_PORTS: tcp/22; > GPG_REMOTE_ID: CLIENTID; > GPG_DECRYPT_ID: FIREWALLID; > GPG_DECRYPT_PW: password; > GPG_HOME_DIR: /root/.gnupg; > FW_ACCESS_TIMEOUT: 60; > ENABLE_FORWARD_ACCESS: Y; > <clip> > > I have also in fwknopd.conf line saying that: > <clip> > ENABLE_IPT_FORWARDING Y; > ENABLE_IPT_SNAT Y; > SNAT_TRANSLATE_IP 10.11.12.1; > <clip> > > I am running fwknopd in firewall with command: > fwknopd -vvv -f -c /etc/fwknop/fwknopd.conf -a /etc/fwknop/access.conf > > ...and client with command: > fwknop -A tcp/22 --nat-access 10.11.12.5:22 -D 192.168.171.100 -a > 192.168.171.1 \ > --gpg-recipient-key FIREWALLID --gpg-signer-key CLIENTID -vvv > > ...and suprise! I can connect from client to firewall using ssh, and > connection is forwarded to server. So everything is working like all docs > and forum(s) are saying. BUT my biggest problem is that I do NOT > want to make NAT from firewall to server, I would like to make setup where > my client authenticates to firewall and after that fwknopd creates iptables > rule so my client can open ssh connection to a REAL server 10.11.12.5, not > to a firewall itself! I'm not quite sure I understand the above. It sounds like you want to first ssh directly to the firewall, and then you want to ssh again to an internal server. Is that right? > Like now I have to make ssh command in client: > ssh user@192.168.171.100 > > But I would like to make setup, where I can command: > ssh user@10.11.12.5 > > Routing is not the problem...problem is that I'am quite newbie with fwknop > and don't have a glue how to make this happen... > > Basic idea is that client never opens ssh (or whatever) connection to a > firewall's public address directly (after SPA), always to original server OR > another public address which is NATted to a original server by firewall. But if you ssh to the firewall IP after fwknopd has built the NAT rules, your connection is sent right on through to the internal system without the user ever knowing it. That is, the user will never talk directly to the sshd instance on the firewall itself because the NAT rule sends the connection to the internal system. Either way, the IP packets coming from the user on the external side are going to hit the external interface of the firewall. In your scenario above, it looks as though the user would put the destination IP of the internal system on the ssh command line, and if this worked anyone on the external network would be able to see the addressing information of your internal network. Because any system that communicated out through the firewall (assuming a non-bridging firewall) is going to see the external IP of the firewall anyway, there is no added harm in making it look like an external client is connecting to the firewall via ssh. Behind the scenes the connection is sent on through to the requested internal system, but anyone on the outside cannot see this. Not sure if this helped. --Mike > Any help would be appreciated! > > Cheers, > > Matti > -- > palaste-at-gmail-com > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |