Skip to content

Instantly share code, notes, and snippets.

@joekir
Last active October 15, 2021 14:42
Show Gist options
  • Save joekir/c721e42ac0a164ed3ed5fbf5fa709d24 to your computer and use it in GitHub Desktop.
Save joekir/c721e42ac0a164ed3ed5fbf5fa709d24 to your computer and use it in GitHub Desktop.
Getting fwknop to work

How to setup fwknop

Cloud Setup

  • Using sshd_conf from my other place configure a bastion to run on 2 ports
    • use the other random port to help you set all this up!
  • expose them on GCP
  • also expose udp/62201 for the knock (62201 is the default, but you can change in the config)
  • on a debian instance install fwknop-server
  • configure ip tables as follows:
  $ iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -j DROP
  $ iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

client

  • install fwknop (sometimes called fwknop-client)
  • use fwknop -K keys.txt to gen the key and HMAC_key for your SPA
  • add these to ~/.fwknoprc like so:
[bastion]
SPA_SERVER          <Target IP>  
ACCESS              tcp/22
KEY_BASE64          <BASE64>
HMAC_KEY_BASE64     <BASE64>
USE_HMAC            Y

server

  • copy accross the key data to /etc/fwknop/access.conf
  • run $ sudo fwknop -S to check it's status
  • run $ sudo fwknop -R to restartit with the new settings
  • double check your iptables setup looks ok

client

  • run fwknop -n bastion -R --verbose
  • Providing this is successful you should now be able to login on ssh port 22 :D
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment