Re: [Fwknop-discuss] Cannot create iptables rules using fwknop on dd-wrt
Brought to you by:
mbr
From: Frank N. <fra...@li...> - 2011-10-22 21:21:33
|
Hi Mike, Thanks man, that information helped me solve the problem. I'll explain what the problem is below for the benefit of others. I use the recomended build of dd-wrt (14929). That build ships with a pretty ancient version of iptables (1.3.7). If you run # iptables -I INPUT -p tcp --dport 12345 -m comment --comment "testing" -j ACCEPT the command finishes without any error messages. The syslog is also clean. However if you check using iptables -L there is no corresponding rule. BTW the exit code of the command is 0 so I don't think your program is to blame for not detecting the error. To solve the problem I upgraded using optware to iptables version 1.4.9. At this point it is important to reboot the router. Only after the router comes back up iptables 1.4.9 is running. If you try to run # iptables -I INPUT -p tcp --dport 12345 -m comment --comment "testing" -j ACCEPT the rule is added correctly to iptables. Now for the weird part. To get fwknop to run you have to change the FIREWALL_EXE line in fwknopd.conf from /usr/sbin/iptables to iptables and NOT to /opt/usr/sbin/iptables (the location for the new iptables program). I figured that out by running: iptables -V result: iptables v1.4.9/usr/sbin/iptables -V result: iptables v1.3.7/opt/usr/sbin/iptables -V result: iptables v1.3.7also running whereis iptables yields iptables: /usr/sbin/iptables So for some reason the system has a little trouble finding iptables, however if the FIREWALL_EXE line in fwknopd.conf is set to iptables there are no more problems and I am able to reach sshd from my phone! Running fwknopd --fw-list shows the rules perfectly. You asked about compiling fwknopd for dd-wrt. It was my first compilation of a program and all in all I say that it went pretty smooth. The process for compiling a package for optware / dd-wrt is documented on http://www.nslu2-linux.org/wiki/Optware/AddAPackageToOptwareIt is important to note that you can't compile on a recent version of Ubuntu but that you need 8.04 or some other older version. I solved that by running the whole proces in a virtualbox. When you compile the toolchain you have to resort to some tricks to get the right files the beast needs, but that is al solveable. The biggest problem were a lot of malloc and realloc errors during compilation. With some googling i worked out that by putting export jm_cv_func_working_malloc=yesexport ac_cv_func_malloc_0_nonnull=yesexport ac_cv_func_rpl_realloc_0_nonnull=yesexport ac_cv_func_realloc_0_nonnull=yes in the make file the problem could be solved. But I think it is an ugly fix and I'm pretty sure some of these lines are redundant or wrong. The options I used to compile fwknopd are --build=$(GNU_HOST_NAME) \ --host=$(GNU_TARGET_NAME) \ --target=$(GNU_TARGET_NAME) \For these three the variable is supplied by the dd-wrt/optware part of the make file set. I don't know what it is set to, but since I now have a working version of fwknopd I don't realy care. I supplies the following options myself--disable-client \I only wanted to try the server. Maybe I'll compile the client too, but for now I dont see the need. (At least not on a router.) --disable-static \When I didn't use this option the compilation proces finished without errors but when I checked the ipk file the program complained about something to do with a static libary . Don't realy know what the problem was. Using this option got rid of it. --with-iptables=/usr/sbin/iptables \I'm going to recompile the program and I'll change this option to --with-iptables=iptables that way fwknop should work more out of the box. --prefix=/opt \Optware is installed in /opt --program-prefix="" \If you don't use this option the fwknopd program gets the prefix mipsel-linux. I don't want that. --disable-pie \This is the most important option. If you don't use this option the program will compile without errors, but it will seg fault upon running on the router. I found some references on other programs seg faulting on dd-wrt if pie was enabled, so i guess that dd-wrt doesn't support pie. When I'm done testing I'll see if I can't upload the make file to optware / dd-wrt, unless of course you don't want me to. However I'm a bit hesitant as this is the first time I compiled a program and I dont want to put a lot of people at risk with a faulty compilation. Also I have to figure out how to upload the make file. Do send me an e-mail when you have the test suite more up and running. It would be interesting to test it. Thanks for the help and your nice program, Frank> Date: Sat, 22 Oct 2011 13:45:31 -0400 > From: mb...@ci... > To: fwk...@li... > Subject: Re: [Fwknop-discuss] Cannot create iptables rules using fwknop on dd-wrt > > On Oct 22, 2011, Frank Ness wrote: > > > > > Hi, > > Hello Frank, > > > First of all apologies if this is a double post. I seem to have some trouble posting to the list. > > Not a double post - this one made it through. > > > The good news is I think I have succeded in succesfully compiling fwknopd to dd-wrt using optware. The program compiled without errors and runs on my router. The bad news is that it doesn't seem to create iptables rules needed. > > > > If I start fwknopd and send a SPA packet from my android phone to my router fwknopd responds with: > > > > Using Digest Cache: '/var/run/fwknop/digest.cache' (entry count = 0) > > Added jump rule from chain: INPUT to chain: FWKNOP_INPUT > > PCAP filter is: udp port 62201 > > Starting fwknopd main event loop. > > SPA Packet from IP: <my phone ip> received. > > SPA Packet: '+0e+uMnhekbCqfB1tHSenxfiiCrtkaxSJJzBNA5FfYiX1pmMC1cO5MhxmorkfGS2+z723Jd2Aj/4Y4oPNn1MmXQ9gc8yAziJGe0Rkiqt9GCwmXGzWzDVFiWPXg9zLDA9Az/xW2SIaEGudbGEn3hXqnb1O0HEJy74TlOvgjP8obBNlSMyucX4aw' > > Added Rule to FWKNOP_INPUT for <my phone ip>, tcp/8822 expires at 1319299103 > > The above looks normal. However, can you confirm that the iptables 'comment' > match is compiled into the dd-wrt kernel? The "Added Rule..." message above > should indicate that it's there because fwknopd checks the exit status of > the iptables command it uses to add the rule, but I think it would be good > to check manually just to be sure. Does this command generate any errors?: > > # iptables -I INPUT -p tcp --dport 12345 -m comment --comment "testing" -j ACCEPT > > > However I cannot reach ssh on my router. If I run (from a different ssh session) iptables -L I can see some entries relating to fwknopd. I get > > > > # iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > FWKNOP_INPUT 0 -- anywhere anywhere > > > > Immediately after that I get some iptables rules I put in myslef. Then after quite a lot more lines i get > > > > Chain FWKNOP_INPUT (1 references) > > target prot opt source destination > > Chain advgrp_1 (0 references) > > > > And the output continues but with no references to either my phone ip address or port 8822. > > You can list just the fwknopd rules with: > > # fwknopd --fw-list > > This may help interpret things if the iptables rule set is really large. If > you try generating the SPA packet once again and immediately after can you > execute the --fw-list command above? This will help to confirm whether > fwknopd is actually able to add any corresponding access rule for the SPA > packet. If the rule exists, then we'll need to investigate how fwknopd is > adding the jump rule w.r.t. the rest of the policy. > > > Then after a while fwknop tells me: > > > > Did not find expire comment in rules list 0. > > This makes me think that the 'comment' match may not exist.. > > > I'm stuck. As far as I can tell fwknopd runs without errors and can access iptables because I can see entries relating to fwknop in my iptables. These entries disappear (as they should) when I close fwknopd and reapear when I start fwknopd again. However, no iptables rules are created. > > > > Does anyone have a suggestion to solve this problem? Am I configuring fwknopd.conf or access.conf wrong? the output of fwknopd -D is attached below > > That configuration looks good to me. > > Btw, I'm currently developing a test suite for fwknop: > > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=shortlog;h=refs/heads/test_suite > > Once this is complete (another week or so) it may be interesting to try it > out on your dd-wrt system. I'll send you an email once it is closer to > being ready. > > On dd-wrt did you need to do anything special to get fwknop to compile? It's > cool to see that it compiles properly on another platform. > > Thanks, > > --Mike > > > > Thanks, > > > > Frank > > > > output of fwknopd -D > > # fwknopd -D > > Current fwknopd config settings: > > 0. CONFIG_FILE = '/opt/etc/fwknop/fwknopd.conf' > > 1. OVERRIDE_CONFIG = '<not set>' > > 2. PCAP_INTF = 'vlan2' > > 3. ENABLE_PCAP_PROMISC = 'N' > > 4. PCAP_FILTER = 'udp port 62201' > > 5. MAX_SNIFF_BYTES = '1500' > > 6. ENABLE_SPA_PACKET_AGING = 'Y' > > 7. MAX_SPA_PACKET_AGE = '120' > > 8. ENABLE_DIGEST_PERSISTENCE = 'Y' > > 9. CMD_EXEC_TIMEOUT = '<not set>' > > 10. ENABLE_SPA_OVER_HTTP = 'N' > > 11. ENABLE_TCP_SERVER = 'N' > > 12. TCPSERV_PORT = '62201' > > 13. LOCALE = '<not set>' > > 14. SYSLOG_IDENTITY = 'fwknopd' > > 15. SYSLOG_FACILITY = 'LOG_DAEMON' > > 16. ENABLE_IPT_FORWARDING = 'N' > > 17. ENABLE_IPT_LOCAL_NAT = 'Y' > > 18. ENABLE_IPT_SNAT = 'N' > > 19. SNAT_TRANSLATE_IP = '<not set>' > > 20. ENABLE_IPT_OUTPUT = 'N' > > 21. FLUSH_IPT_AT_INIT = 'Y' > > 22. FLUSH_IPT_AT_EXIT = 'Y' > > 23. IPT_INPUT_ACCESS = 'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1' > > 24. IPT_OUTPUT_ACCESS = 'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1' > > 25. IPT_FORWARD_ACCESS = 'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1' > > 26. IPT_DNAT_ACCESS = 'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1' > > 27. IPT_SNAT_ACCESS = 'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1' > > 28. IPT_MASQUERADE_ACCESS = 'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1' > > 29. FWKNOP_RUN_DIR = '/var/run/fwknop' > > 30. FWKNOP_CONF_DIR = '/opt/etc/fwknop' > > 31. ACCESS_FILE = '/opt/etc/fwknop/access.conf' > > 32. FWKNOP_PID_FILE = '/var/run/fwknop/fwknopd.pid' > > 33. DIGEST_FILE = '/var/run/fwknop/digest.cache' > > 34. GPG_HOME_DIR = '/root/.gnupg' > > 35. FIREWALL_EXE = '/usr/sbin/iptables' > > Current fwknopd access settings: > > SOURCE (1): ANY > > ============================================================== > > OPEN_PORTS: tcp/8822,tcp/22 > > RESTRICT_PORTS: <not set> > > KEY: <see the access.conf file> > > FW_ACCESS_TIMEOUT: 30 > > ENABLE_CMD_EXEC: No > > CMD_EXEC_USER: <not set> > > REQUIRE_USERNAME: <not set> > > REQUIRE_SOURCE_ADDRESS: No > > GPG_HOME_DIR: <not set> > > GPG_DECRYPT_ID: <not set> > > GPG_DECRYPT_PW: <see the access.conf file> > > GPG_REQUIRE_SIG: No > > GPG_IGNORE_SIG_VERIFY_ERROR: No > > GPG_REMOTE_ID: <not set> > > > > > > > ------------------------------------------------------------------------------ > > The demand for IT networking professionals continues to grow, and the > > demand for specialized networking skills is growing even more rapidly. > > Take a complimentary Learning@Cisco Self-Assessment and learn > > about Cisco certifications, training, and career opportunities. > > http://p.sf.net/sfu/cisco-dev2dev > > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwk...@li... > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > ------------------------------------------------------------------------------ > The demand for IT networking professionals continues to grow, and the > demand for specialized networking skills is growing even more rapidly. > Take a complimentary Learning@Cisco Self-Assessment and learn > about Cisco certifications, training, and career opportunities. > http://p.sf.net/sfu/cisco-dev2dev > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |