![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2024-06-28
目錄
- SPA Package 有效時間
- Forward Rule
- Run Program
- SPA Packet Format
- fwknopd.conf 的進階設定
- access.conf 的進階設定
- DIGEST_TYPE 與 HMAC_DIGEST_TYPE
- include
- Summary
SPA Package 有效時間
MAX_SPA_PACKET_AGE
Client 與 Server 的最大的時間差
ENABLE_SPA_PACKET_AGING (Default: Y)
This instructs fwknopd to not honor SPA packets that have an old time stamp.
The value for “old” is defined by the “MAX_SPA_PACKET_AGE” variable.
“N” = fwknopd will not use the client time stamp at all.
ENABLE_DIGEST_PERSISTENCE <Y/N>
Track digest sums associated with previous SPA packets processed by fwknopd.
“N” => fwknopd will not check incoming SPA packet data against any previously save digests.
Forward Rule
FORCE_NAT <IP> <PORT>
For any valid SPA packet, force the requested connection to be NAT'd through to the specified (usually internal) IP and port value.
用圖:
This is useful if there are multiple internal systems running a service such as SSHD,
and you want to give transparent access to only one internal system for each stanza in the access.conf file.
This way, multiple external users can each directly access only one internal system per SPA key.
log
(stanza #1) SPA Packet from IP: s.s.s.s received with access source match Added FORWARD rule to FWKNOP_FORWARD for s.s.s.s -> 192.168.123.31 tcp/3389, expires at 1519708948 Added DNAT rule to FWKNOP_PREROUTING for s.s.s.s -> 0.0.0.0/0 tcp/3389, expires at 1519708948
ENABLE_DESTINATION_RULE Y
Controls whether fwknopd will set the destination field
on the firewall rule to the destination address specified on the incoming SPA packet.
DNAT rules will also have their destination field set.
The default is "N", which sets the destination field to 0.0.0.0/0
FORCE_NAT
access.conf
FORCE_NAT 192.168.123.31 3389
REQUIRE_USERNAME STRING
Require a specific username from the client system as encoded in the SPA data.
This variable is optional and if not specified, the username data in the SPA data is ignored.
* 我地可以用呢個 feild 來分 Service 在那個 Host
* 手機 Client 不支援 UserName
Run Program
ENABLE_CMD_EXEC <Y/N> # Default N
This instructs fwknopd to accept complete commands that are contained within an authorization packet.
Any such command will be executed on the fwknopd server as the user specified by the "CMD_EXEC_USER"
or as the user that started fwknopd if that is not set.
CMD_EXEC_USER <username>
If this variable is not given, fwknopd will execute the command as the user it is running as (most likely root).
SPA Packet Format
Fields:
-
16 bytes of random data # No two SPA packets are identical
# because they contain 16 bytes of random data before being encrypted - Local username
- Local time stamp
- fwknop version
- SPA message type
- Access request or command to execute
- Optional Field
Message Type:
- 1 (Access msg) # Open Port (-A)
- 3 (Client timeout access msg) # Open Port (-A)
- ---
- 5 (Local NAT access msg) # --nat-local
- 6 (Client timeout local NAT access msg) # --nat-local
Optional Fields:
- NAT access request
- Third-party authentication information
- Firewall rule timeout (Client Timeout)
測試
fwknop 使用 -v, --verbose 時可以查看 (Encoded Data)
# 當有設定 FW_TIMEOUT 時, 那 Message Type 就會由 1 -> 3
Random Value: 2504734574395169
Username: root
Timestamp: 1720583698
FKO Version: 3.0.0
Message Type: 3 (Client timeout access msg)
Message String: S.S.S.S,tcp/22
...
Client Timeout: 10
...
Encoded Data: 2504734574395169:cm9vdA:1720583698:3.0.0:3:MSG:10"cm9vdA" 係 "root" 的 base64 encode
MSG: echo -n 'Message String' | base64 | tr -d =
fwknopd.conf 的進階設定
Parameters specific to iptbles(ENABLE_IPT_*):
- ENABLE_IPT_LOCAL_NAT
- ENABLE_NAT_DNS
- ENABLE_IPT_FORWARDING
- ENABLE_IPT_SNAT
- ENABLE_IPT_OUTPUT
- SNAT_TRANSLATE_IP
- ENABLE_DESTINATION_RULE
# Default N
To access the local service on another port.
Example
# access.conf 要有設定 "OPEN_PORTS tcp/22001"
CLI Client
# 經 "--nat-port" 的 port 去 "--access"
fwknop -v -n ollama -A tcp/22 --nat-local --nat-port 22001
... Message Type: 5 (Local NAT access msg) Message String: S.S.S.S,tcp/22001 Nat Access: D.D.D.D,22
Android Client
- Message Type: Local Nat Access
- Access Ports: tcp/22001
- Internal Port: 22
Checking
log
... Added local NAT rule to FWKNOP_INPUT for S.S.S.S -> 0.0.0.0/0 tcp/22001, expires at 1724396805 ... Added DNAT rule to FWKNOP_PREROUTING for S.S.S.S -> 0.0.0.0/0 tcp/22001, expires at 1724396805
iptables -nL | grep _exp_; iptables -t nat -nL | grep _exp_
Chain FWKNOP_INPUT (1 references) target prot opt source destination ACCEPT tcp -- S.S.S.S 0.0.0.0/0 tcp dpt:22 /* _exp_1724396805 */ Chain FWKNOP_PREROUTING (1 references) target prot opt source destination DNAT tcp -- S.S.S.S 0.0.0.0/0 tcp dpt:22001 /* _exp_1724396805 */ to:D.D.D.D:22
Notes
* 由於 FWKNOP_INPUT 加了 22 port. 可以可以直接連, 不用經 22001
# access.conf 要沒有設定 "OPEN_PORTS "
fwknop -v -n ollama -A tcp/22 --nat-local --nat-rand-port
Server Log
... (stanza #1) SPA packet from S.S.S.S requested NAT access, but is not enabled/supported
# Default: Y
Allow fwknopd to resolve hostnames in NAT access messages.
當 N 時
fwknop -v -n ollama -A tcp/22 --nat-local --nat-port 22001
Message Type: 5 (Local NAT access msg)
Message String: D.D.D.D,tcp/22001
Nat Access: ollama.datahunter.org,22server log
... Received Hostname in NAT SPA message, but hostname is disabled.
# Default: N
Defines whether an SPA packet can trigger port forwarding through to an internal host.
Allow SPA clients to request access to services through an iptables firewall instead of just to it
(e.g. access through the FWKNOP_FORWARD chain instead of the INPUT chain)
會影響的 Chain
Chain FWKNOP_FORWARD (1 references) Chain FWKNOP_PREROUTING (1 references)
e.g.
# client -22001-> lxc -22-> ct(200.18)
fwknop -n ollama -A tcp/22001 -N 192.168.200.18:22
log
... Added FORWARD rule to FWKNOP_FORWARD for S.S.S.S -> 0.0.0.0/0 tcp/22001, expires at 1724396190 ... Added DNAT rule to FWKNOP_PREROUTING for S.S.S.S -> 0.0.0.0/0 tcp/22001, expires at 1724396190
iptables
ACCEPT tcp -- S.S.S.S 0.0.0.0/0 tcp dpt:22 /* _exp_1724396190 */ DNAT tcp -- S.S.S.S 0.0.0.0/0 tcp dpt:22001 /* _exp_1724396190 */ to:192.168.200.18:22
ENABLE_IPT_SNAT
...
ENABLE_IPT_OUTPUT
This is usually only useful if there are no state tracking rules to allow connection responses out
and the OUTPUT chain has a default-drop stance.
SNAT_TRANSLATE_IP
Specify the IP address for SNAT.
This functionality is only enabled when “ENABLE_IPT_SNAT” is set to “Y” and
by default SNAT rules are built with the MASQUERADE target.
ENABLE_DESTINATION_RULE
The default is “N”, which sets the destination field to 0.0.0.0/0 (any).
* FORWARD and SNAT rules are not affected
access.conf 的進階設定
RESTRICT_PORTS
RESTRICT_PORTS <proto/port>,...,<proto/port>
當 "OPEN_PORTS ANY" 時使用到它
Define a set of ports and protocols (tcp or udp) that are
explicitly not allowed regardless of the validity of the incoming SPA packet.
FORCE_X
- FORCE_NAT <IP> <PORT>
- FORCE_SNAT <IP>
- FORCE_MASQUERADE <Y/N>
- FORWARD_ALL <Y/N>
DIGEST_TYPE 與 HMAC_DIGEST_TYPE
為何使用 HMAC (optional)
the code required by the fwknopd daemon to verify an HMAC is much more simplistic than
the code required to decrypt an SPA packet,
so an SPA packet without a proper HMAC isn’t even sent through the decryption routines.
HMAC_DIGEST_TYPE
Set the HMAC digest algorithm used for authenticated encryption of SPA packets.
DIGEST_TYPE
Set the SPA message digest type
include & include_folder
%include
%include /etc/fwknop/myInlcudeFile.conf
* Complete stanzas should be contained within each file.
%include_folder
%include_folder /etc/fwknop/myFolder.d
* This processes all the *.conf files in the specified directory.
%include_keys
%include_keys /home/user/fwknop_keys.conf
* Any other commands in the stanza must come before the %include_keys directive.
Summary
fwknopd.conf
ENABLE_UDP_SERVER Y UDPSERV_PORT 12345 ENABLE_SPA_PACKET_AGING Y; MAX_SPA_PACKET_AGE 30; ENABLE_DIGEST_PERSISTENCE Y; ENABLE_IPT_LOCAL_NAT N; ENABLE_IPT_FORWARDING N; ENABLE_NAT_DNS N;
access.conf
SOURCE ANY OPEN_PORTS tcp/22 REQUIRE_SOURCE_ADDRESS Y FW_ACCESS_TIMEOUT 15 ENABLE_CMD_EXEC N HMAC_DIGEST_TYPE SHA512 DIGEST_TYPE SHA512 %include_keys /etc/fwknop/key.conf
