Fwknop port forwarding configuration

Hi,

I'm trying to set up fwknop to open port 22 and set up firewall rule to forward to an IP on the LAN
I cannot get the fwknopd config right.
What am I missing/doing wrong?
This are my config files:

/etc/fwknop/fwknopd.conf:

PCAP_INTF                   wan;
SYSLOG_IDENTITY             fwknopd;
SYSLOG_FACILITY             LOG_DAEMON;
ENABLE_FIREWD_FORWARDING    Y;
ENABLE_FIREWD_LOCAL_NAT     Y;
FIREWD_FORWARD_ACCESS       ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
ENABLE_IPT_FORWARDING       Y;
ENABLE_IPT_LOCAL_NAT        Y;

/etc/fwknop/access.conf :

SOURCE                  ANY
OPEN_PORTS              tcp/22
REQUIRE_SOURCE_ADDRESS  Y
PERMIT_CLIENT_PORTS     N
KEY_BASE64              <my-key>
HMAC_KEY_BASE64         <my-hmac-key>
ENABLE_FORWARD_ACCESS   Y

client ~/.fwknoprc :

SPA_SERVER        <fwknopd-server-ip>
ACCESS            tcp/22
NAT_ACCESS        192.168.2.2,22
KEY_BASE64        <my-key>
HMAC_KEY_BASE64   <my-hmac-key>
USE_HMAC          Y
RESOLVE_IP_HTTPS  Y

have you stopped sshd / dropbear ?
port 22 is usually used by it ...

1 Like

What version of openwrt are you using? fwknop is not compatible with firewall4 which ships with 22.03

There seems to be a workaround https://github.com/openwrt/packages/issues/16818#issuecomment-1086624136

More info

1 Like

Thanks for quick replies!

frollic: thanks for the tip, I've changed dropbear port now

d687r02j8g: It is version 22.03. The workaround you speak off, that would be installing iptables-nft, am I correct?

Sorry, I don't know. I just pasted the link after a Google search!

Bummer.
Looks like fwknop just don't work with nftables, no workaround to be found apart from rolling system back to some earlier version without nftables.

I think I may have figured out how to get it working alongside nftables without extra scripts. If you install kmod-ipt-nat and kmod-ipt-nat-extra, along with luci-app-fwknopd out of the box, the forwarding rules work correctly.