28.07.2020 19:18, Marc Chamberlin пишет:
Hello - I am experiencing a problem with port knocking and am in need of some guidance from someone with a deeper understanding of the Linux/OpenSuSE architecture than I have. I have a computer with 2 NIC cards defined as eth0 and eth1. I am running 2 knockd daemons using nearly identical configuration files that define the knock sequences needed to open a port. The IP addresses for each card are on the same internal private subnet and assigned by a DHCPD server. When I send a knock sequence from my laptop to this system on it's eth0 interface all works fine. But when I send the same knock sequence to the eth1 interface it generally fails, although every once in awhile, as I am trying to figure out what is going on, it will work one time and then again fails on subsequent tests. I don't know what I am doing that The most obvious reason would be that your system sends reply from different interface (there could be only one effective route to any network) and your software you are using to "knock" does not like it. Thanks Andrei for responding! Maybe I need you to say more or explain how I should configure the routes. I thought I was addressing this in
On 7/28/20 10:47 AM, Andrei Borzenkov wrote: the ifconfig files for each interface. In /etc/sysconfig/network/ifcfg-eth0 I have set this parameter - DHCLIENT_SET_DEFAULT_ROUTE='yes' and for ifcfg-eth1 I set it - DHCLIENT_SET_DEFAULT_ROUTE='no' I read that this is what I am suppose to do from Google searches. I do not set any default route parameters in the YaST2->Network module. The dhcpd server is configured to set the same IP address as the default route for all the systems on the network. Perhaps I am misinterpreting what you are trying to say?
causes these occasional successes. I have tried bringing down and back up the eth1 interface with ifup and ifdown, and tried restarting the firewalld, network, and knockd services. I have also tried putting both interfaces on the same (INTERNAL) zone (not what I really want to do, but this eliminates the possibility that placing each interface in separate zones could be causing problems.)
I fired up wireshark on my target computer to monitor the eth1 interface (and the eth0 interface to see if there were any differences that might give me a clue) and wireshark does indeed show the arrival of the knock packets coming from my laptop, on both interfaces. So I know that I am sending the knocks OK and that they are indeed arriving on the appropriate interfaces. So I next inserted the following rule into the head of the INPUT chain of the iptables to monitor what it is seeing -
*iptables -w -I INPUT 1 -s 192.168.10.10 -j LOG; tail -n-0 -f /var/log/messages|stdbuf -o0 grep 192.168.10.10*
(192.168.10.10 is the IP address of my laptop) and while this does show the knocks coming in on eth0, it fails to show any knocks coming in on eth1 (except occasionally as I mentioned above). Does this command look correct? iptables part yes.
In particular I am not really sure where the LOG chain will send its output, I am guessing it is to the messages log file. Did you try to read manual page or other documentation before guessing? It sends output to kernel log buffer.
Yes I do try to RTFMs before asking questions, ;-) and I did my best to grok the man pages, and yes I did read that output from kernel logging is sent to the "kernel log file" Trouble is that I do not find a kern.log file in /var/log so I assumed that like most other things which get logged, the log messages from the kernel end up in /var/log/messages. I guess I am wrong to make that assumption, but can you tell me how to activate and direct the kernel log messages to /var/log/kern.log? Most of the documentation I find, in Google searches, seem to imply this is done by default in other distros, and apparently in OpenSuSE it is not? I don't find any documentation when I search for "opensuse kernel log file configuration" that seems relevant. On a lark, I did try to start the kernel logging service - klogd - thinking that might be what is needed to see the kernel log messages in a separate file, but it refuses to start. I get the following message which I do not grok -
systemctl start klogd Failed to start klogd.service: Operation refused, unit klogd.service may be requested by dependency only (it is configured to refuse manual start/stop).
(I have turned back on logging to the messages log file since I prefer using text files rather than the journal log which I find is too difficult to work with)
Check your logging software configuration. You do not say what distribution you are using, what version, what log program fills in /var/log/messages so there is not much more to say.
Sorry, I guess I didn't think that was going to be relevant. On the system I am testing, I am running OpenSuSE Leap 15.0 using rsyslogd 8.33.1 for my logging service.'
I imagine that wireshark is directly monitoring eth1 by making low level calls to the eth1 driver and I would have expected iptables to be doing the same, but apparently not. So what lies between the low level driver for eth1 that wireshark is apparently using, and the beginning of the iptables chain that is blocking these port knock packets from reaching the iptables chains?
Much more plausible explanation is that these messages are filtered out by your log program.
Hmmm, OK, I need more help here then, I dunno how to configure filtering, didn't even know that was possible.
Anyone with ideas? As always much appreciated and thanks in advance for taking the time to help me out! Marc....
-- *_ _ . . . . . . _ _ . _ _ _ _ . . . . _ . . . . _ _ . _ _ _ . . . . _ _ . _ . . _ . _ _ _ _ . _ . _ . _ . _ . * Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! (/Attached is my public key to be used for encryption and sending encrypted email to marc@marcchamberlin.com./)