fwknop questions

[alexandro]

Trying to play with the fwknop Entware NG package (port knocking single packet authorization- see demo ) and have some questions:

1. After Quick Start (generate keys, fill .conf file) service started ok, but syslog show errors

Feb 22 07:32:33 fwknopd[2758]: delete_all_chains() Error -7 from cmd:'/opt/sbin/iptables -t filter -F FWKNOP_INPUT':
Feb 22 07:32:33 fwknopd[2759]: run_extcmd(): could not fdopen() pipe output file descriptor.
Feb 22 07:32:33 fwknopd[2759]: delete_all_chains() Error -7 from cmd:'/opt/sbin/iptables -t filter -X FWKNOP_INPUT':
Feb 22 07:32:33 fwknopd[2760]: run_extcmd(): could not fdopen() pipe output file descriptor.
Feb 22 07:32:33 fwknopd[2760]: delete_all_chains() Error -7 from cmd:'/opt/sbin/iptables -t filter -X FWKNOP_INPUT':
Feb 22 07:32:33 fwknopd[2761]: run_extcmd(): could not fdopen() pipe output file descriptor.
Feb 22 07:32:33 fwknopd[2762]: run_extcmd(): could not fdopen() pipe output file descriptor.
Feb 22 07:32:33 fwknopd[2762]: delete_all_chains() Error -7 from cmd:'/opt/sbin/iptables -t filter -D INPUT -j FWKNOP_INPUT':
Feb 22 07:32:33 fwknopd[2763]: run_extcmd(): could not fdopen() pipe output file descriptor.
Feb 22 07:32:33 fwknopd[2764]: run_extcmd(): could not fdopen() pipe output file descriptor.

What's wrong with iptables or fwknop?

2. I see OpenWRT has Interface for fwknop from demo above. Is it possible to port this interface into Merlin firmware?

 

[Martin - SNBuser]

Hi, I think I remember this occured to me too. In case you're subscribed to new posts, and to help others:

As I remember it, you need to use the entware IPTABLES-binary as I assume you also installed fwknopd through entware. So "opkg install iptables". Then I don't remember if this is default or if you have to modify your path in a startup-file. From my shell, I get this:

echo $PATH
/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/wrt54g:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin

It's obvious you need to have /opt/sbin/iptables in the beginning ("which iptables" to ensure you're running the correct iptables-binary).

I came to this point, with fwknopd http://www.snbforums.com/threads/step-by-step-setup-of-fwknopd-need-help-also-with-iptables.33792/
If I succeed with setting up fwknopd on my Asus router, I'll post what I did.

 

[harningt]

Any status update on this? Right now I have fwknop on my linux server box, but that's suboptimal, particularly due to docker making a mess of rules.