On 7/28/20 10:47 AM, Andrei Borzenkov wrote:
28.07.2020 19:18, Marc Chamberlin пишет:
Hello - I am experiencing a problem with port
knocking and am in need of
some guidance from someone with a deeper understanding of the
Linux/OpenSuSE architecture than I have. I have a computer with 2 NIC
cards defined as eth0 and eth1. I am running 2 knockd daemons using
nearly identical configuration files that define the knock sequences
needed to open a port. The IP addresses for each card are on the same
internal private subnet and assigned by a DHCPD server. When I send a
knock sequence from my laptop to this system on it's eth0 interface all
works fine. But when I send the same knock sequence to the eth1
interface it generally fails, although every once in awhile, as I am
trying to figure out what is going on, it will work one time and then
again fails on subsequent tests. I don't know what I am doing that
obvious reason would be that your system sends reply from
different interface (there could be only one effective route to any
network) and your software you are using to "knock" does not like it.
Thanks Andrei for responding! Maybe I need you to say more or explain
how I should configure the routes. I thought I was addressing this in
the ifconfig files for each interface. In
/etc/sysconfig/network/ifcfg-eth0 I have set this parameter -
DHCLIENT_SET_DEFAULT_ROUTE='yes' and for ifcfg-eth1 I set it -
DHCLIENT_SET_DEFAULT_ROUTE='no' I read that this is what I am suppose
to do from Google searches. I do not set any default route parameters in
the YaST2->Network module. The dhcpd server is configured to set the
same IP address as the default route for all the systems on the network.
Perhaps I am misinterpreting what you are trying to say?
causes these occasional successes. I have tried
bringing down and back
up the eth1 interface with ifup and ifdown, and tried restarting the
firewalld, network, and knockd services. I have also tried putting both
interfaces on the same (INTERNAL) zone (not what I really want to do,
but this eliminates the possibility that placing each interface in
separate zones could be causing problems.)
I fired up wireshark on my target computer to monitor the eth1 interface
(and the eth0 interface to see if there were any differences that might
give me a clue) and wireshark does indeed show the arrival of the knock
packets coming from my laptop, on both interfaces. So I know that I am
sending the knocks OK and that they are indeed arriving on the
appropriate interfaces. So I next inserted the following rule into the
head of the INPUT chain of the iptables to monitor what it is seeing -
*iptables -w -I INPUT 1 -s 192.168.10.10 -j LOG; tail -n-0 -f
/var/log/messages|stdbuf -o0 grep 192.168.10.10*
(192.168.10.10 is the IP address of my laptop) and while this does show
the knocks coming in on eth0, it fails to show any knocks coming in on
eth1 (except occasionally as I mentioned above). Does this command look
iptables part yes.
In particular I am not really sure where the LOG
send its output, I am guessing it is to the messages log file.
Did you try to
read manual page or other documentation before guessing?
It sends output to kernel log buffer.
Yes I do try to RTFMs before asking questions, ;-) and I did my best to
grok the man pages, and yes I did read that output from kernel logging
is sent to the "kernel log file" Trouble is that I do not find a
kern.log file in /var/log so I assumed that like most other things which
get logged, the log messages from the kernel end up in
/var/log/messages. I guess I am wrong to make that assumption, but can
you tell me how to activate and direct the kernel log messages to
/var/log/kern.log? Most of the documentation I find, in Google searches,
seem to imply this is done by default in other distros, and apparently
in OpenSuSE it is not? I don't find any documentation when I search for
"opensuse kernel log file configuration" that seems relevant.
On a lark, I did try to start the kernel logging service - klogd -
thinking that might be what is needed to see the kernel log messages in
a separate file, but it refuses to start. I get the following message
which I do not grok -
systemctl start klogd
Failed to start
klogd.service: Operation refused, unit klogd.service may
be requested by dependency only (it is configured to refuse manual
turned back on logging to the messages log file since I prefer using
text files rather than the journal log which I find is too difficult to
Check your logging software configuration. You do not say what
distribution you are using, what version, what log program fills in
/var/log/messages so there is not much more to say.
Sorry, I guess I didn't think that was going to be relevant. On the
system I am testing, I am running OpenSuSE Leap 15.0 using rsyslogd
8.33.1 for my logging service.'
I imagine that wireshark is directly monitoring
eth1 by making low level
calls to the eth1 driver and I would have expected iptables to be doing
the same, but apparently not. So what lies between the low level driver
for eth1 that wireshark is apparently using, and the beginning of the
iptables chain that is blocking these port knock packets from reaching
the iptables chains?
Much more plausible explanation is that these messages are filtered out
by your log program.
Hmmm, OK, I need more help here then, I dunno how to
filtering, didn't even know that was possible.
Anyone with ideas? As always much appreciated and
thanks in advance for
taking the time to help me out! Marc....
*_ _ . . . . . . _ _ . _ _ _ _ .
. . . _ . . . . _ _ .
_ _ _ . . . . _ _ . _ . . _
. _ _ _ _ . _ . _ . _ . _ . *
Computers: the final frontier. These are the voyages of the user Marc.
His mission: to explore strange new hardware. To seek out new software
and new applications. To boldly go where no Marc has gone before!
(/Attached is my public key to be used for encryption and sending
encrypted email to marc(a)marcchamberlin.com./)