LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Knock server / Centos 7 / Iptables (https://www.linuxquestions.org/questions/linux-networking-3/knock-server-centos-7-iptables-4175662008/)

Abstractt 10-04-2019 11:29 AM
Knock server / Centos 7 / Iptables
 
Hi Everyone,

My knock server isn't working on centos 7 when I use it in combination with iptables.
I disable the default firewal in centos 7 and install iptables. ( not using iptables is not an option )
The syntax of the knockd configuration file is pretty simple to make debugging easy.

Code:
[options]
        UseSyslog
        Interface = eno1
        LogFile = /var/log/knockd.log

[abstract]
        sequence      = 4444:udp
        seq_timeout  = 15
        tcpflags      = syn,ack
        start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
        cmd_timeout  = 10
        stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT

The knock log file does not show any activity. I had this before and it took hours to find out in some configuration file ( systemd service file, security setting, etc ) I had to make some changes. ( unfortunately I didnt remember )

My knocks do arrive at the server. This is from the logging of iptabeles traffic.

Code:
Oct  4 18:19:45 localhost kernel: IN=eno1 OUT= MAC=[thats me] SRC=[thats me as well] DST=[thats the server] LEN=28 TOS=0x08 PREC=0x40 TTL=117 ID=25835 PROTO=UDP SPT=54917 DPT=4444 LEN=8
This is all the knock log file shows, after the knock above:

Code:
[2019-10-04 17:57] starting up, listening on eno1
[2019-10-04 17:59] waiting for child processes...
[2019-10-04 17:59] shutting down
[2019-10-04 17:59] starting up, listening on eno1
[2019-10-04 18:18] waiting for child processes...
[2019-10-04 18:18] shutting down
[2019-10-04 18:19] starting up, listening on eno1
I know the solution is very simple. Unfortunately I've been running in circles now for hours.

Best Wishes,
Abstract

michaelk 10-04-2019 12:55 PM
What are your existing firewall rules?

Abstractt 10-04-2019 01:14 PM
iptables rules
 
Hi Michael,

These are pretty simple as its a backup server:

Code:
#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# All the ports and states which should be allow
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Localhost
iptables -A INPUT -i lo -j ACCEPT

# Ips which should have always access
iptables -A INPUT -s [ip address] -j ACCEPT
iptables -A INPUT -s [ip address] -j ACCEPT


# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Save settings
#/sbin/service iptables save

# List rules
iptables -L -v

michaelk 10-04-2019 02:55 PM
I tried your configuration on a debian box and could not find anything obviously wrong except that you configure the interface in knockd.conf and from what I can find on the internet it is via /etc/sysconfig/knockd. debian uses /etc/default/knockd which is basically the same thing.

Abstractt 10-04-2019 03:32 PM
Thank you for testing my configuration. My default file (/etc/default/knockd) looks like

Code:
START_KNOCKD=1

# command line options
KNOCKD_OPTS="-i eno1"
Indeed the name of the interface is eno1. I'm 100% sure my knock configuration (/etc/knockd.comf/, /etc/default/knockd ) does not contain any critical faults that would stop it from functioning. There is somewhere a configuration file of Centos 7 were I either need to set the knock configuration to iptables or ipv4 protocol.

It's somewhere obvious as the last time when I found the problem, I was surprised how simple the solution was.
SELinux is also not in the way. That has been disabled.

michaelk 10-04-2019 03:45 PM
Maybe starting knockd with the -v option at the command line might provide additional information.

Abstractt 10-04-2019 04:09 PM
We are getting somewhere. With the -v option the log file did register more. It even did run the iptables command

Code:
[2019-10-04 17:57] starting up, listening on eno1
[2019-10-04 17:59] waiting for child processes...
[2019-10-04 17:59] shutting down
[2019-10-04 17:59] starting up, listening on eno1
[2019-10-04 18:18] waiting for child processes...
[2019-10-04 18:18] shutting down
[2019-10-04 18:19] starting up, listening on eno1
[2019-10-04 22:25] waiting for child processes...
[2019-10-04 22:25] shutting down
[2019-10-04 22:25] starting up, listening on eno1
[2019-10-04 23:01] waiting for child processes...
[2019-10-04 23:01] shutting down
[2019-10-04 23:01] starting up, listening on eno1
[2019-10-04 23:01] waiting for child processes...
[2019-10-04 23:01] shutting down
[2019-10-04 23:01] starting up, listening on eno1
[2019-10-04 23:01] [my ip]: abstract: Stage 1
[2019-10-04 23:01] [my ip]: abstract: OPEN SESAME
[2019-10-04 23:01] abstract: running command: /sbin/iptables -A INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:01] [my ip]: abstract: Stage 1
[2019-10-04 23:01] [my ip]: abstract: OPEN SESAME
[2019-10-04 23:01] abstract: running command: /sbin/iptables -A INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:01] [my ip]: abstract: command timeout
[2019-10-04 23:01] abstract: running command: /sbin/iptables -D INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:01] [my ip]: abstract: command timeout
[2019-10-04 23:01] abstract: running command: /sbin/iptables -D INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:02] [my ip]: abstract: Stage 1
[2019-10-04 23:02] [my ip]: abstract: OPEN SESAME
[2019-10-04 23:02] abstract: running command: /sbin/iptables -A INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:02] [my ip]: abstract: command timeout
[2019-10-04 23:02] abstract: running command: /sbin/iptables -D INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:03] [my ip]: abstract: Stage 1
[2019-10-04 23:03] [my ip]: abstract: OPEN SESAME
[2019-10-04 23:03] abstract: running command: /sbin/iptables -A INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:03] [my ip]: abstract: command timeout
[2019-10-04 23:03] abstract: running command: /sbin/iptables -D INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT
Now "abstract" is an username. Does this knockd log say the iptables command did run under abstract? That would explain why it was not added to the iptables.
As it was not added to the iptables rule at all.

michaelk 10-04-2019 06:15 PM
abstract is the section from your knockd.conf i.e. [abstract]

It looks like it was working but you might want to add the debug option -D to see additional messages. Once you knock you have 10 seconds to login to the server before the stop_command removes the iptables rule.

Try:
knock server_name 4444 && ssh username@server_name


All times are GMT -5. The time now is 04:31 PM.