step-by-step setup of fwknopd - need help (also with iptables)

[Martin - SNBuser]

Hi all,

I would like to please ask for a little help with iptables, to setup fwknopd on my Asus-(Merlin rom) RT-AC87U with entware. My situation is that I can ssh into the router from the internal network. If I do a port scan from outside, everything is "stealth" - fine so far, so good...

Now, I would like to change this - to be able to ssh into my router, from outside. I believe I can use guides such as http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#quick-start but I have some questions and my most severe problem is that I don't understand why my iptables rules look like they do:

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmp !type 8
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate DNAT
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FUPNP (0 references)
target     prot opt source               destination         

Chain PControls (0 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain SECURITY (0 references)
target     prot opt source               destination         
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x04
RETURN     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain logaccept (0 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "ACCEPT "
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain logdrop (0 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP "
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Why are the all these rules above? Why is it necessary with all these lines? I don't understand all these rules - somebody, please help if you know why or what all these rules do. I believe these are setup by Asus/Merlin, maybe based on my selections there, so I'm a little afraid of changing them (in any case, I would like to understand, thanks)...

I assume I should not enable ssh from the Asus-Merlin webgui, but let the fwknop-daemon temporarily handle the modification to iptables, for port 22, is that correct?

Next, I tried to to follow this guide https://help.ubuntu.com/community/SinglePacketAuthorization and it was easy to generate a key on my local pc using the command "gpg --gen-key". But then I had to do
"Generate Server-side GnuPG key pairs" and I discovered gpg is not available in my router, not even with entware which otherwise have so many packages, that this surprised me a little? It means, I cannot use GPG-keys, I think (if you know a way, please let me know). Instead of the GPG-method, I decided to use this method https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html and on the client pc I wrote (yes, I wanted/would like to expose the SSH-server to port 443 instead of port 22, because port 443 is also used by HTTPS so I'm sure it'll work many places where there could be restrictions to port 22, the normal ssh port):

fwknop -A tcp/443 -D (my-external-IP: X.X.X.X) --key-gen --use-hmac --save-rc-stanza

I'm not sure what the "save-rc-stanza" does (tried to read about it, didn't understand it), but now I have KEY_BASE64 and HMAC_KEY_BASE64, which I inserted (using copy/paste) in the bottom of the /opt/etc/fwknop/access.conf file on the Asus RT-AC87U-router. According to this the instructions here https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html I should now be able to start the fwknop-daemon. I did it like this (please watch the output errors, this is beginning to exceed my skills, I would really appreciate a little help/comments here, notice after a short while I begin to press CTRL+C --> ^C^C^C^C^C ):

@router:/tmp/mnt/sda/entware/etc/fwknop# fwknopd -fv
Opened access file: /opt/etc/fwknop/access.conf
Initialize access stanzas
Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
[+] Writing my PID (2653) to the lock file: /opt/var/fwknop/fwknopd.pid
Starting fwknopd
Using Digest Cache: '/opt/var/fwknop/digest.cache' (entry count = 0)
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT' (res: 16, err: run_extcmd(): could not fdopen() pipe output file descriptor.
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT' (res: -7, err: ))
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s 127.0.0.2 -p udp -j ACCEPT' (res: 16, err: run_extcmd(): could not fdopen() pipe output file descriptor.
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s 127.0.0.2 -p udp -j ACCEPT' (res: -7, err: )
ipt_chk_support() -C supported)
ipt_chk_support() -C supported
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' (res: 16, err: run_extcmd(): could not fdopen() pipe output file descriptor.
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' (res: -7, err: )
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT already exists)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT already exists
jump_rule_exists_chk_support() jump rule found
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT' (res: 16, err: run_extcmd(): could not fdopen() pipe output file descriptor.
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT' (res: -7, err: ))
delete_all_chains() Error 16 from cmd:'/opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT': run_extcmd(): could not fdopen() pipe output file descriptor.
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT' (res: -7, err: )
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' (res: 16, err: run_extcmd(): could not fdopen() pipe output file descriptor.
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' (res: -7, err: )
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT already exists)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT already exists
jump_rule_exists_chk_support() jump rule found
^C^C^C^C^Cdelete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT' (res: 16, err: run_extcmd(): could not fdopen() pipe output file descriptor.
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT' (res: -7, err: ))
delete_all_chains() Error 16 from cmd:'/opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT': run_extcmd(): could not fdopen() pipe output file descriptor.
.... etc etc...
.... etc etc...
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT' (res: -7, err: )
delete_all_chains() Error -7 from cmd:'/opt/sbin/iptables -t filter -F FWKNOP_INPUT': )
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT' (res: 0, err: run_extcmd(): could not fdopen() pipe output file descriptor.
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT' (res: -7, err: )
delete_all_chains() Error -7 from cmd:'/opt/sbin/iptables -t filter -X FWKNOP_INPUT': )

Please help - what is the problem here? How to continue from here? How to eliminate these errors and problems, so I can continue to the next step (must open port 443 + I must send an SPA packet from outside and test)...

I really appreciate any help/advice/ideas, thanks!

 

[Martin - SNBuser]

Hi,

I think I'm close to a solution now. I think my usb-drive gets too hot and doesn't work good on the rt-87u router. I inserted a new usb-stick, reinstalled entware and a few packages including fwknop(d). This is what I got now:

# fwknopd  -f -v
Opened access file: /opt/etc/fwknop/access.conf
Initialize access stanzas
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: SOURCE              ANY
    Var: SOURCE, Val: 'ANY'
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: KEY_BASE64          gi+z3HrMWUKt/pIpsBOS01qYuGyzaAbIjZObv8+MIAc=
    Var: KEY_BASE64, Val: 'gi+z5HrMWUKt/pIpsBOS08qYuGyzaAbIjZObv8+MIAc='
ACCESS FILE: /opt/etc/fwknop/access.conf, LINE: HMAC_KEY_BASE64     JEbuMIaJewr+itntH8YHa+YuFvFjG0s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ1pSoElmNSOKM5QBtroDHRqg==
    Var: HMAC_KEY_BASE64, Val: 'JEbuMIaJewr+itntH1YHa+YuFvFjG8s7WbkaNslwcNxEgS2IexcSxg2avEug1GZ2pSoElmNSOKM5QBtroDHRqg=='
Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
[+] Writing my PID (6541) to the lock file: /opt/var/fwknop/fwknopd.pid
Starting fwknopd
Current fwknopd config settings:
  0. CONFIG_FILE                  =  '/opt/etc/fwknop/fwknopd.conf'
  1. OVERRIDE_CONFIG              =  '<not set>'
  2. PCAP_INTF                    =  'eth0'
  3. PCAP_FILE                    =  '<not set>'
...
...
...
...

36. IPT_INPUT_ACCESS             =  'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
37. IPT_OUTPUT_ACCESS            =  'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
38. IPT_FORWARD_ACCESS           =  'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
39. IPT_DNAT_ACCESS              =  'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
40. IPT_SNAT_ACCESS              =  'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
41. IPT_MASQUERADE_ACCESS        =  'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_MASQUERADE, 1'
42. ENABLE_IPT_COMMENT_CHECK     =  'Y'
43. FWKNOP_RUN_DIR               =  '/opt/var/fwknop'
44. FWKNOP_CONF_DIR              =  '/opt/etc/fwknop'
45. ACCESS_FILE                  =  '/opt/etc/fwknop/access.conf'
46. ACCESS_FOLDER                =  '<not set>'
47. FWKNOP_PID_FILE              =  '/opt/var/fwknop/fwknopd.pid'
48. DIGEST_FILE                  =  '/opt/var/fwknop/digest.cache'
49. GPG_HOME_DIR                 =  '/root/.gnupg'
50. GPG_EXE                      =  '/usr/bin/gpg'
51. SUDO_EXE                     =  '/usr/bin/sudo'
52. FIREWALL_EXE                 =  '/opt/sbin/iptables'
53. VERBOSE                      =  '3'
54. FAULT_INJECTION_TAG          =  '<not set>'

Current fwknopd access settings:
SOURCE (1):  ANY
==============================================================
...
...
...


Using Digest Cache: '/opt/var/fwknop/digest.cache' (entry count = 0)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -C INPUT -s 127.0.0.2 -p udp -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
ipt_chk_support() CMD: '/opt/sbin/iptables -t filter -C INPUT -s 127.0.0.2 -p udp -j ACCEPT' (res: 0, err: )
ipt_chk_support() -C supported
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -D INPUT 1
run_extcmd(): returning 0, pid_status: 0
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 2
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' (res: 0, err: iptables v1.4.21: Couldn't load target `FWKNOP_INPUT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT does not exist
jump_rule_exists_chk_support() jump rule not found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -F FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -X FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -L FWKNOP_INPUT -n
run_extcmd(): returning 0, pid_status: 1
chain_exists() CMD: '/opt/sbin/iptables -t filter -L FWKNOP_INPUT -n' (res: 0, err: iptables: No chain/target/match by that name.)
'filter' table 'FWKNOP_INPUT' chain exists
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -N FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
create_chain() CMD: '/opt/sbin/iptables -t filter -N FWKNOP_INPUT' (res: 0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT does not exist
jump_rule_exists_chk_support() jump rule not found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
add_jump_rule() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT' (res: 0, err: )
Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -I INPUT 1 -s 127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT
run_extcmd(): returning 0, pid_status: 0
comment_match_exists() CMD: '/opt/sbin/iptables -t filter -I INPUT 1 -s 127.0.0.2 -m comment --comment __TMPCOMMENT__ -j ACCEPT' (res: 0, err: iptables: No chain/target/match by that name.)
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -L INPUT --line-numbers -n
run_extcmd(): returning 0, pid_status: 0
Warning: Could not use the 'comment' match
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' (res: 0, err: )
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT already exists
jump_rule_exists_chk_support() jump rule found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT' (res: 0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' (res: 0, err: iptables: No chain/target/match by that name.)
rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT does not exist
jump_rule_exists_chk_support() jump rule not found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -F FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -F FWKNOP_INPUT' (res: 0, err: )
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -X FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 0
delete_all_chains() CMD: '/opt/sbin/iptables -t filter -X FWKNOP_INPUT' (res: 0, err: )

My understanding is, it is running some initial tests. And it fails here:

run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 2
rule_exists_chk_support() CMD: '/opt/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' (res: 0, err: iptables v1.4.21: Couldn't load target `FWKNOP_INPUT':No such file or directory

I'm definately an iptables-noob, but as I understand it, "-j FWKNOP_INPUT" means something with target "FWKNOP_INPUT". Does this has something to do with option -N, --new-chain ?

A little later it says:

rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in INPUT does not exist
jump_rule_exists_chk_support() jump rule not found
run_extcmd() (with execvpe()): running CMD: /opt/sbin/iptables -t filter -F FWKNOP_INPUT
run_extcmd(): returning 0, pid_status: 1

There are several problems but I think the problem is now down to fixing or knowing what to do about these "FWKNOP_INPUT"-errors ?

I appreciate any guidance/help/suggestions (and as iptable noob, I think there are good chances many people can help and understand this/these error messages), thanks!


UPDATE: I received help on the fwknopd-mailing list: https://sourceforge.net/p/fwknop/mailman/message/35383517/ - it all works, I think!