Easy Single Packet Authorization Setup With fwknop // Programming, etc.

Step 1: Install on the client and server

apt-get install fwknop-client
apt-get install fwknop-server

pacman -S fwknop # client + server

Step 2: Generate a symetric key with the fwknop client

fwknop --key-gen
KEY_BASE64: J74NzkCQuxRxm66XAnY1kNHYFPIVdL9bPCkyObSxUfU=
HMAC_KEY_BASE64: UkMsk1sD59asme5z+YAdJ7r376xq1iZKftKbGj0LVOY1KQSQvglZMp0eW3vQDcmZLnK76is4E99/JAp8Krw3hQ==

Step 3: Add the keys on the server

grep -B3 HMAC_KEY_BASE64 /etc/fwknop/access.conf
SOURCE                  ANY
REQUIRE_SOURCE_ADDRESS  Y
KEY_BASE64              J74NzkCQuxRxm66XAnY1kNHYFPIVdL9bPCkyObSxUfU=
HMAC_KEY_BASE64         UkMsk1sD59asme5z+YAdJ7r376xq1iZKftKbGj0LVOY1KQSQvglZMp0eW3vQDcmZLnK76is4E99/JAp8Krw3hQ==

Step 4: Add the keys on the client

grep -B5 HMAC_KEY_BASE64 ~/.fwknoprc
[my_server]
ALLOW_IP            1.1.1.1
ACCESS              tcp/22
SPA_SERVER          2.2.2.2
KEY_BASE64          J74NzkCQuxRxm66XAnY1kNHYFPIVdL9bPCkyObSxUfU=
HMAC_KEY_BASE64     UkMsk1sD59asme5z+YAdJ7r376xq1iZKftKbGj0LVOY1KQSQvglZMp0eW3vQDcmZLnK76is4E99/JAp8Krw3hQ==

Step 5: Test the setup

Launch the server in the foreground

fwknopd -f

Knock with the client

fwknop -n my_server

Step 6: Setup the firewall

apt-get install iptables-persistent

cat /etc/iptables/rules.v4
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Keep state.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loop device.
-A INPUT -i lo -j ACCEPT

# ssh
-A INPUT -s 1.1.1.1 -p tcp --dport 22 -j ACCEPT # will be removed later

# Allow PING from remote hosts.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
COMMIT

cat /etc/iptables/rules.v6
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

iptables-apply /etc/iptables/rules.v4
ip6tables-apply /etc/iptables/rules.v6

systemctl restart netfilter-persistent.service

Note: netfilter-persistent.service exists before the installation of iptables-persistent, but will not do anything without that package installed.

Step 7: Test manually

At this point, the knockd server is still running in the foreground…

On the server

nc -v -l -p 2222

On the client

Port is closed

nmap -n -Pn 2.2.2.2 -p 2222
Starting Nmap
Nmap scan report for 2.2.2.2
Host is up.

PORT     STATE    SERVICE
2222/tcp filtered EtherNetIP-1

Knocking…

fwknop -n my_server -A tcp/2222

Server’s port is now open

nmap -n -Pn 2.2.2.2 -p 2222

Starting Nmap
Nmap scan report for 2.2.2.2
Host is up (0.020s latency).

PORT     STATE SERVICE
2222/tcp open  EtherNetIP-1

Step 8: Restart

Test manually once more, and if all is good after a restart, go to step 9.

grep START /etc/default/fwknop-server
START_DAEMON="yes"

Step 9: Last restart

Remove the hard coded IP in /etc/iptables/rules.v4 and restart one last time

And we’re done!

fwknop -n my_server && ssh 2.2.2.2