Knock server / Centos 7 / Iptables

Abstractt · 10-04-2019, 11:29 AM

Hi Everyone,

My knock server isn't working on centos 7 when I use it in combination with iptables.
I disable the default firewal in centos 7 and install iptables. ( not using iptables is not an option )
The syntax of the knockd configuration file is pretty simple to make debugging easy.

Code:

[options]
        UseSyslog
        Interface = eno1
        LogFile = /var/log/knockd.log

[abstract]
        sequence      = 4444:udp
        seq_timeout   = 15
        tcpflags      = syn,ack
        start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
        cmd_timeout   = 10
        stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT

The knock log file does not show any activity. I had this before and it took hours to find out in some configuration file ( systemd service file, security setting, etc ) I had to make some changes. ( unfortunately I didnt remember )

My knocks do arrive at the server. This is from the logging of iptabeles traffic.

Code:

Oct  4 18:19:45 localhost kernel: IN=eno1 OUT= MAC=[thats me] SRC=[thats me as well] DST=[thats the server] LEN=28 TOS=0x08 PREC=0x40 TTL=117 ID=25835 PROTO=UDP SPT=54917 DPT=4444 LEN=8

This is all the knock log file shows, after the knock above:

Code:

[2019-10-04 17:57] starting up, listening on eno1
[2019-10-04 17:59] waiting for child processes...
[2019-10-04 17:59] shutting down
[2019-10-04 17:59] starting up, listening on eno1
[2019-10-04 18:18] waiting for child processes...
[2019-10-04 18:18] shutting down
[2019-10-04 18:19] starting up, listening on eno1

I know the solution is very simple. Unfortunately I've been running in circles now for hours.

Best Wishes,
Abstract

michaelk · 10-04-2019, 12:55 PM

What are your existing firewall rules?

Abstractt · 10-04-2019, 01:14 PM

Hi Michael,

These are pretty simple as its a backup server:

Code:

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# All the ports and states which should be allow
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Localhost
iptables -A INPUT -i lo -j ACCEPT

# Ips which should have always access
iptables -A INPUT -s [ip address] -j ACCEPT
iptables -A INPUT -s [ip address] -j ACCEPT


# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Save settings
#/sbin/service iptables save

# List rules
iptables -L -v

michaelk · 10-04-2019, 02:55 PM

I tried your configuration on a debian box and could not find anything obviously wrong except that you configure the interface in knockd.conf and from what I can find on the internet it is via /etc/sysconfig/knockd. debian uses /etc/default/knockd which is basically the same thing.

Abstractt · 10-04-2019, 03:32 PM

Thank you for testing my configuration. My default file (/etc/default/knockd) looks like

Code:

START_KNOCKD=1

# command line options
KNOCKD_OPTS="-i eno1"

Indeed the name of the interface is eno1. I'm 100% sure my knock configuration (/etc/knockd.comf/, /etc/default/knockd ) does not contain any critical faults that would stop it from functioning. There is somewhere a configuration file of Centos 7 were I either need to set the knock configuration to iptables or ipv4 protocol.

It's somewhere obvious as the last time when I found the problem, I was surprised how simple the solution was.
SELinux is also not in the way. That has been disabled.

michaelk · 10-04-2019, 03:45 PM

Maybe starting knockd with the -v option at the command line might provide additional information.

Abstractt · 10-04-2019, 04:09 PM

We are getting somewhere. With the -v option the log file did register more. It even did run the iptables command

Code:

[2019-10-04 17:57] starting up, listening on eno1
[2019-10-04 17:59] waiting for child processes...
[2019-10-04 17:59] shutting down
[2019-10-04 17:59] starting up, listening on eno1
[2019-10-04 18:18] waiting for child processes...
[2019-10-04 18:18] shutting down
[2019-10-04 18:19] starting up, listening on eno1
[2019-10-04 22:25] waiting for child processes...
[2019-10-04 22:25] shutting down
[2019-10-04 22:25] starting up, listening on eno1
[2019-10-04 23:01] waiting for child processes...
[2019-10-04 23:01] shutting down
[2019-10-04 23:01] starting up, listening on eno1
[2019-10-04 23:01] waiting for child processes...
[2019-10-04 23:01] shutting down
[2019-10-04 23:01] starting up, listening on eno1
[2019-10-04 23:01] [my ip]: abstract: Stage 1
[2019-10-04 23:01] [my ip]: abstract: OPEN SESAME
[2019-10-04 23:01] abstract: running command: /sbin/iptables -A INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:01] [my ip]: abstract: Stage 1
[2019-10-04 23:01] [my ip]: abstract: OPEN SESAME
[2019-10-04 23:01] abstract: running command: /sbin/iptables -A INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:01] [my ip]: abstract: command timeout
[2019-10-04 23:01] abstract: running command: /sbin/iptables -D INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:01] [my ip]: abstract: command timeout
[2019-10-04 23:01] abstract: running command: /sbin/iptables -D INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:02] [my ip]: abstract: Stage 1
[2019-10-04 23:02] [my ip]: abstract: OPEN SESAME
[2019-10-04 23:02] abstract: running command: /sbin/iptables -A INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:02] [my ip]: abstract: command timeout
[2019-10-04 23:02] abstract: running command: /sbin/iptables -D INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:03] [my ip]: abstract: Stage 1
[2019-10-04 23:03] [my ip]: abstract: OPEN SESAME
[2019-10-04 23:03] abstract: running command: /sbin/iptables -A INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

[2019-10-04 23:03] [my ip]: abstract: command timeout
[2019-10-04 23:03] abstract: running command: /sbin/iptables -D INPUT -s [my ip] -p tcp --dport ssh -j ACCEPT

Now "abstract" is an username. Does this knockd log say the iptables command did run under abstract? That would explain why it was not added to the iptables.
As it was not added to the iptables rule at all.

michaelk · 10-04-2019, 06:15 PM

abstract is the section from your knockd.conf i.e. [abstract]

It looks like it was working but you might want to add the debug option -D to see additional messages. Once you knock you have 10 seconds to login to the server before the stop_command removes the iptables rule.

Try:
knock server_name 4444 && ssh username@server_name