Securing your router with fwknop ('iptables -m comment' error)

Discussion in 'Tomato Firmware' started by dailyglen, Feb 24, 2012.

  1. dailyglen

    dailyglen Networkin' Nut Member


    I would really like to get fwknop working as it seems to offer superior security over other methods of opening external ports. Basically you have fwknopd running on Tomato and use a fwknop client which sends a packet to tomato with the port forwarding instructions. The ports will open for 30 seconds by default to allow new connections from your client's IP address (or any that you specify). The client is available for Unix, Windows, Andrioid, etc. The beautiful part is fwknopd can listen for the port knock while the port is closed (eg DROPed traffic) and the packet is encrypted with a shared key. So defeating this is very difficult.

    To install download the binary from and put it on your router (thanks to rhester72 for compiling this).

    Create a fwknopd.conf file on tomato:
    ACCESS_FILE /tmp/mnt/router/apps/fwknopd.access
    PCAP_INTF vlan2
    PCAP_FILTER udp dst port 62201
    With ACCESS_FILE set to the location of fwknopd.access. The fwknopd.access file on tomato looks like:
    KEY mysecretpassword
    Then start fwknopd on tomato like so:
    ./fwknopd -v -c fwknopd.conf
    To see documentation go to

    Then from your computer from outside your WAN use the fwknop client like so:

    fwknop -R -D <your-tomato-IP> -v -A tcp/2222 --nat-access=
    This will allow new incoming connections for 30 seconds from the IP of your client (with "-R") to connect to tomato's port 2222 which will forward to port 22 of the internal computer

    But when I do this I get an error that iptables doesn't support '-m comment --comment blah'. Thinking the comments might not be required I removed them from the source code but it doesn't work correctly because the iptables comments are used find the iptables to close the ports.

    Does anyone know how to get 'iptables' to support '-m comment'? Or is there some other way to get this working? Please share.

  2. ntest7

    ntest7 Network Guru Member

    I believe iptables would need to be built with that module enabled.
  3. rhester72

    rhester72 Network Guru Member

    Due to kernel variations between builds, I can all-but-guarantee this will end in tears. However, if you're running some variant of K26, you might get lucky.

    Get these:


    Put in a directory on its own somewhere (assuming you don't already have custom iptables libraries), then softlink /etc/iptext to that directory (so iptables knows where to look for yours). Put xt_comment.ko wherever you like and insmod it. To test:

    iptables -A INPUT -p tcp --dport 12345 -m comment --comment blah -j ACCEPT

    If that doesn't blow up with something like:

    iptables: No chain/target/match by that name

    then you _might_ not be screwed (but loadable kernel modules can fail in wild and mysterious ways, friends!).

    If it worked, check it with:

    iptables -L INPUT -nv | grep blah

    and you should see something like:

    0 0 ACCEPT tcp -- * * tcp dpt:12345 /* blah */

    (that little comment on the end is key - if you don't see it, you're screwed).

    Assuming you're STILL not screwed, undo that with:

    iptables -D INPUT -p tcp --dport 12345 -m comment --comment blah -j ACCEPT

    and retest fwknop. And pray. A lot.

    Good luck! :)

    Rodney, STILL wishing for a consistent kernel tree amongst all flavors of Tomato K26 *sigh*
  4. dailyglen

    dailyglen Networkin' Nut Member

    Hi Rodney,

    With all the dire warnings about screwing myself I wasn't sure I should do it but your "Good luck" encouraged me on.

    I'm glad to say it works perfectly! This is the best way to open ports on your router (until there is a better way:))!

    Just a few notes on how to set things up better. The "fwknopd.conf" file in my first post is only good for opening ports on the router. If you want to do a NAT to another computer or a local NAT to remap ports on your router you set it up like this in fwknopd.conf:
    ACCESS_FILE /tmp/mnt/router/apps/fwknopd.access
    PCAP_INTF vlan2
    PCAP_FILTER udp dst port 62201
    Here's some examples I tried (note for my testing I used "PCAP_INTF br0" in fwknopd.conf since I'm testing it on my internal network):
    # Make tcp port 8021 on Tomato NAT to 80 (close after 500 seconds)
    # Note: I increased the time the port stays open since each new page on Tomato asks
    # for a new tcp connection.  Since it is only open to the IP address I specified, it is not a big deal
    fwknop -a -D -v -A tcp/8021 --nat-local --nat-port 80 --fw-timeout 500
    # Open tcp port 8021 on Tomato ( and forward it to port 22 on
    # Note: Once logged in via ssh the connection will stay alive after the ports close
    fwknop -a -D -v -A tcp/8021 --nat-access,22
    ssh -p 8021 $USER@
    So with opening the ports to the WAN adds a few more issues because my work allows a few open outgoing ports. So I can't send a packet to port 62201 because it is blocked. So instead I use tcp/80 since that is almost always open wherever you go. So in your "fwknopd.conf" use:
    ACCESS_FILE /tmp/mnt/router/apps/fwknopd.access
    PCAP_INTF vlan2
    PCAP_FILTER tcp dst port 80
    And then from your fwknop client use:
    fwknop -R -D --server-port=80 --server-proto=tcp -v -A tcp/80 --nat-access
    ssh -p 80 $ 
    Now what I would really like to do is get access to the Tomato https port admin page externally without turning on my remote Admin Access. I can't get this to work. Here's what I've tried:
    # Get access to Tomato web page over https (with Admin access off)
    # These don't work:
    # Open port 443:
    fwknop -R -D --server-port=80 --server-proto=tcp -v -A tcp/443
    # Local NAT of external port 53 to 443
    fwknop -R -D --server-port=80 --server-proto=tcp -v -A tcp/53 --nat-local --nat-port 443
    If anyone could help figure this out I would appreciate it.

    Rodney, for other people that want to enjoy this, what hardware do you expect your iptables comment libraries to work on? It would be great if other people could join in on the encrypted port knocking fun!

    Thanks again Rodney!
  5. rhester72

    rhester72 Network Guru Member

    In theory, the iptables library should work against any TomatoUSB, and the kernel module *may* work on any K26 build (it depends entirely on how patched it is...or not). There's no real way to tell short of trying.

  6. ArmoredDragoon

    ArmoredDragoon Networkin' Nut Member

    Anywhere I can get ahold of those precompiled kernel modules?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice