erg
January 24, 2023, 2:27pm
1
Hi,
I'm trying to set up fwknop to open port 22 and set up firewall rule to forward to an IP on the LAN
I cannot get the fwknopd config right.
What am I missing/doing wrong?
This are my config files:
/etc/fwknop/fwknopd.conf:
PCAP_INTF wan;
SYSLOG_IDENTITY fwknopd;
SYSLOG_FACILITY LOG_DAEMON;
ENABLE_FIREWD_FORWARDING Y;
ENABLE_FIREWD_LOCAL_NAT Y;
FIREWD_FORWARD_ACCESS ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
ENABLE_IPT_FORWARDING Y;
ENABLE_IPT_LOCAL_NAT Y;
/etc/fwknop/access.conf :
SOURCE ANY
OPEN_PORTS tcp/22
REQUIRE_SOURCE_ADDRESS Y
PERMIT_CLIENT_PORTS N
KEY_BASE64 <my-key>
HMAC_KEY_BASE64 <my-hmac-key>
ENABLE_FORWARD_ACCESS Y
client ~/.fwknoprc :
SPA_SERVER <fwknopd-server-ip>
ACCESS tcp/22
NAT_ACCESS 192.168.2.2,22
KEY_BASE64 <my-key>
HMAC_KEY_BASE64 <my-hmac-key>
USE_HMAC Y
RESOLVE_IP_HTTPS Y
have you stopped sshd / dropbear ?
port 22 is usually used by it ...
1 Like
What version of openwrt are you using? fwknop is not compatible with firewall4 which ships with 22.03
There seems to be a workaround https://github.com/openwrt/packages/issues/16818#issuecomment-1086624136
More info
opened 01:50PM - 25 Sep 22 UTC
I have been using Fwknopd on OpenWrt for a long time. Lately, I upgraded OpenWrt… to 22.03 but Fwknopd does not work without the [work-around](https://github.com/openwrt/packages/issues/16818#issuecomment-1086624136) proposed by @weini22.
opened 05:49AM - 06 Oct 21 UTC
help wanted
Hi all, especially @openwrt/packages-write,
for the next OpenWrt release `fir… ewall4` is [considered](https://github.com/openwrt/openwrt/pull/4642) as a replacement of the current `iptables` based `firewall` package. While the configuration stays within `/etc/config/firewall`, packages using `iptables` directly may see trouble.
This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible.
Compatible with `firewall4`:
- [x] acme
- [x] adblock
- [ ] apfree-wifidog
- [ ] banip
- [x] bcp38
- [x] collectd (iptables plugin still uses iptables, no nftables plugin)
- [ ] coova-chilli
- [ ] dockerd
- [x] etherwake-nfqueue
- [ ] fail2ban
- [ ] frr
- [ ] fwknop
- [x] gnunet
- [x] https-dns-proxy
- [x] jool
- [x] keepalived https://github.com/openwrt/packages/pull/18058
- [ ] libreswan
- [x] miniupnpd https://github.com/openwrt/packages/pull/17094
- [x] mwan3 https://github.com/openwrt/packages/pull/17940
- [x] phantap
- [x] podman via dcbef6fde01eed546bd405724bd70cd8f3381c4b
- [x] ~~pppossh~~
- [ ] redsocks
- [x] shadowsocks-libev ((https://github.com/openwrt/packages/pull/17937)
- [x] ~~shorewall~~
- [x] ~~shorewall6~~
- [x] ~~shorewall6-lite~~
- [x] ~~shorewall-lite~~
- [x] simple-adblock
- [x] sqm-scripts
- [ ] strongswan
- [ ] trafficshaper
- [ ] uacme
- [x] v2raya (https://github.com/openwrt/packages/pull/18052)
- [x] vpnbypass
- [ ] vpnc-scripts
- [x] vpn-policy-routing
- [ ] wifidog
- [ ] xtables-addons
Heads up for routing.git: https://github.com/openwrt/routing/issues/731
Heads up for luci.git: https://github.com/openwrt/luci/issues/5409
1 Like
erg
January 24, 2023, 3:24pm
4
Thanks for quick replies!
frollic: thanks for the tip, I've changed dropbear port now
d687r02j8g: It is version 22.03. The workaround you speak off, that would be installing iptables-nft, am I correct?
Sorry, I don't know. I just pasted the link after a Google search!
erg
January 25, 2023, 1:54pm
6
Bummer.
Looks like fwknop just don't work with nftables, no workaround to be found apart from rolling system back to some earlier version without nftables.
I think I may have figured out how to get it working alongside nftables without extra scripts. If you install kmod-ipt-nat and kmod-ipt-nat-extra , along with luci-app-fwknopd out of the box, the forwarding rules work correctly.