Knock server / Centos 7 / Iptables
Hi Everyone,
My knock server isn't working on centos 7 when I use it in combination with iptables. I disable the default firewal in centos 7 and install iptables. ( not using iptables is not an option ) The syntax of the knockd configuration file is pretty simple to make debugging easy. Code:
[options] The knock log file does not show any activity. I had this before and it took hours to find out in some configuration file ( systemd service file, security setting, etc ) I had to make some changes. ( unfortunately I didnt remember ) My knocks do arrive at the server. This is from the logging of iptabeles traffic. Code:
Oct 4 18:19:45 localhost kernel: IN=eno1 OUT= MAC=[thats me] SRC=[thats me as well] DST=[thats the server] LEN=28 TOS=0x08 PREC=0x40 TTL=117 ID=25835 PROTO=UDP SPT=54917 DPT=4444 LEN=8 Code:
[2019-10-04 17:57] starting up, listening on eno1 Best Wishes, Abstract |
What are your existing firewall rules?
|
iptables rules
Hi Michael,
These are pretty simple as its a backup server: Code:
#!/bin/bash |
I tried your configuration on a debian box and could not find anything obviously wrong except that you configure the interface in knockd.conf and from what I can find on the internet it is via /etc/sysconfig/knockd. debian uses /etc/default/knockd which is basically the same thing.
|
Thank you for testing my configuration. My default file (/etc/default/knockd) looks like
Code:
START_KNOCKD=1 It's somewhere obvious as the last time when I found the problem, I was surprised how simple the solution was. SELinux is also not in the way. That has been disabled. |
Maybe starting knockd with the -v option at the command line might provide additional information.
|
We are getting somewhere. With the -v option the log file did register more. It even did run the iptables command
Code:
[2019-10-04 17:57] starting up, listening on eno1 As it was not added to the iptables rule at all. |
abstract is the section from your knockd.conf i.e. [abstract]
It looks like it was working but you might want to add the debug option -D to see additional messages. Once you knock you have 10 seconds to login to the server before the stop_command removes the iptables rule. Try: knock server_name 4444 && ssh username@server_name |
All times are GMT -5. The time now is 04:31 PM. |