手把手教你在centos7上快速安装fwknop server程序
1. 从rpm安装
$ sudo yum install https://fwknop.com/downloads/centos7/fwknop-server-2.6.11-1.el7.x86_64.rpm \
https://fwknop.com/downloads/centos7/libfko-3.0.0-1.x86_64.rpm -y
Loaded plugins: fastestmirror, ovl
Examining rpm/fwknop-server-2.6.11-1.el7.x86_64.rpm: 1:fwknop-server-2.6.11-1.el7.x86_64
Marking rpm/fwknop-server-2.6.11-1.el7.x86_64.rpm to be installed
Examining rpm/libfko-3.0.0-1.x86_64.rpm: 1:libfko-3.0.0-1.x86_64
Marking rpm/libfko-3.0.0-1.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package fwknop-server.x86_64 1:2.6.11-1.el7 will be installed
--> Processing Dependency: iptables for package: 1:fwknop-server-2.6.11-1.el7.x86_64
Loading mirror speeds from cached hostfile
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 153 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 253 kB 00:00:00
(3/4): updates/7/x86_64/primary_db | 27 MB 00:00:01
(4/4): base/7/x86_64/primary_db | 6.1 MB 00:00:01
--> Processing Dependency: libpcap for package: 1:fwknop-server-2.6.11-1.el7.x86_64
--> Processing Dependency: qrencode for package: 1:fwknop-server-2.6.11-1.el7.x86_64
--> Processing Dependency: libpcap.so.1()(64bit) for package: 1:fwknop-server-2.6.11-1.el7.x86_64
---> Package libfko.x86_64 1:3.0.0-1 will be installed
--> Running transaction check
---> Package iptables.x86_64 0:1.4.21-35.el7 will be installed
--> Processing Dependency: libnfnetlink.so.0()(64bit) for package: iptables-1.4.21-35.el7.x86_64
--> Processing Dependency: libnetfilter_conntrack.so.3()(64bit) for package: iptables-1.4.21-35.el7.x86_64
---> Package libpcap.x86_64 14:1.5.3-13.el7_9 will be installed
---> Package qrencode.x86_64 0:3.4.1-3.el7 will be installed
--> Processing Dependency: libpng15.so.15(PNG15_0)(64bit) for package: qrencode-3.4.1-3.el7.x86_64
--> Processing Dependency: libpng15.so.15()(64bit) for package: qrencode-3.4.1-3.el7.x86_64
--> Running transaction check
---> Package libnetfilter_conntrack.x86_64 0:1.0.6-1.el7_3 will be installed
--> Processing Dependency: libmnl.so.0(LIBMNL_1.1)(64bit) for package: libnetfilter_conntrack-1.0.6-1.el7_3.x86_64
--> Processing Dependency: libmnl.so.0(LIBMNL_1.0)(64bit) for package: libnetfilter_conntrack-1.0.6-1.el7_3.x86_64
--> Processing Dependency: libmnl.so.0()(64bit) for package: libnetfilter_conntrack-1.0.6-1.el7_3.x86_64
---> Package libnfnetlink.x86_64 0:1.0.1-4.el7 will be installed
---> Package libpng.x86_64 2:1.5.13-8.el7 will be installed
--> Running transaction check
---> Package libmnl.x86_64 0:1.0.3-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================================
Installing:
fwknop-server x86_64 1:2.6.11-1.el7 /fwknop-server-2.6.11-1.el7.x86_64 190 k
libfko x86_64 1:3.0.0-1 /libfko-3.0.0-1.x86_64 244 k
Installing for dependencies:
iptables x86_64 1.4.21-35.el7 base 432 k
libmnl x86_64 1.0.3-7.el7 base 23 k
libnetfilter_conntrack x86_64 1.0.6-1.el7_3 base 55 k
libnfnetlink x86_64 1.0.1-4.el7 base 26 k
libpcap x86_64 14:1.5.3-13.el7_9 updates 139 k
libpng x86_64 2:1.5.13-8.el7 base 213 k
qrencode x86_64 3.4.1-3.el7 base 19 k
Transaction Summary
=====================================================================================================================================
Install 2 Packages (+7 Dependent packages)
Total size: 1.3 M
Total download size: 907 k
Installed size: 3.1 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/libmnl-1.0.3-7.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for libmnl-1.0.3-7.el7.x86_64.rpm is not installed
(1/7): libmnl-1.0.3-7.el7.x86_64.rpm | 23 kB 00:00:00
(2/7): libnetfilter_conntrack-1.0.6-1.el7_3.x86_64.rpm | 55 kB 00:00:00
(3/7): iptables-1.4.21-35.el7.x86_64.rpm | 432 kB 00:00:00
(4/7): libnfnetlink-1.0.1-4.el7.x86_64.rpm | 26 kB 00:00:00
(5/7): libpng-1.5.13-8.el7.x86_64.rpm | 213 kB 00:00:00
(6/7): qrencode-3.4.1-3.el7.x86_64.rpm | 19 kB 00:00:00
Public key for libpcap-1.5.3-13.el7_9.x86_64.rpm is not installed===========================- ] 0.0 B/s | 768 kB --:--:-- ETA
(7/7): libpcap-1.5.3-13.el7_9.x86_64.rpm | 139 kB 00:00:00
-------------------------------------------------------------------------------------------------------------------------------------
Total 739 kB/s | 907 kB 00:00:01
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-9.2009.0.el7.centos.x86_64 (@CentOS)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libnfnetlink-1.0.1-4.el7.x86_64 1/9
Installing : 1:libfko-3.0.0-1.x86_64 2/9
Installing : 2:libpng-1.5.13-8.el7.x86_64 3/9
Installing : qrencode-3.4.1-3.el7.x86_64 4/9
Installing : libmnl-1.0.3-7.el7.x86_64 5/9
Installing : libnetfilter_conntrack-1.0.6-1.el7_3.x86_64 6/9
Installing : iptables-1.4.21-35.el7.x86_64 7/9
Installing : 14:libpcap-1.5.3-13.el7_9.x86_64 8/9
Installing : 1:fwknop-server-2.6.11-1.el7.x86_64 9/9
Verifying : 1:fwknop-server-2.6.11-1.el7.x86_64 1/9
Verifying : 14:libpcap-1.5.3-13.el7_9.x86_64 2/9
Verifying : libnfnetlink-1.0.1-4.el7.x86_64 3/9
Verifying : libmnl-1.0.3-7.el7.x86_64 4/9
Verifying : qrencode-3.4.1-3.el7.x86_64 5/9
Verifying : libnetfilter_conntrack-1.0.6-1.el7_3.x86_64 6/9
Verifying : 2:libpng-1.5.13-8.el7.x86_64 7/9
Verifying : 1:libfko-3.0.0-1.x86_64 8/9
Verifying : iptables-1.4.21-35.el7.x86_64 9/9
Installed:
fwknop-server.x86_64 1:2.6.11-1.el7 libfko.x86_64 1:3.0.0-1
Dependency Installed:
iptables.x86_64 0:1.4.21-35.el7 libmnl.x86_64 0:1.0.3-7.el7 libnetfilter_conntrack.x86_64 0:1.0.6-1.el7_3
libnfnetlink.x86_64 0:1.0.1-4.el7 libpcap.x86_64 14:1.5.3-13.el7_9 libpng.x86_64 2:1.5.13-8.el7
qrencode.x86_64 0:3.4.1-3.el7
Complete!
提示
- 执行上述命令后,iptables和相关依赖项将自动安装
- fwknopd.conf和access.conf将在/etc/fwknop中自动生成
- 安装后,access.conf中将生成一个打开端口80和22的段落,并且KEY_BASE64和HMAC_KEY_BASE64是随机生成的,可以安全使用
- 如果遇到
Could not resolve host: mirrorlist.centos.org; Unknown error问题,请执行以下命令
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*.repo && \
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*.repo
- 这个rpm包添加了
--qr和--fw-console命令,具体代码可以在GitHub上找到
2. 初始化iptables
$ sudo fwknopd --fw-console
Firewall Port Manager
====================
1. Initialize firewall (WARNING: Clears existing rules)
2. List current rules
3. Add port rule
4. Delete rule
0. Exit
====================
Select option: 1
Firewall Initialization
======================
WARNING: This will reset ALL firewall rules!
Recommended: Have physical console access or
a secondary SSH session open as backup.
Continue? (y/n): y
Configure additional ports to open (y/n)? y
The udp port 62201 listened to by fwknop will be added to the firewall rules.
Enter ports to open (protocol port, e.g., 'tcp 22' or 'udp 53')
Enter 'done' when finished (max 20 ports):
Port 2 (format 'proto port' or 'done'): tcp 22
Port 3 (format 'proto port' or 'done'): done
Validating rules file...
Executing: iptables-save > /tmp/iptables_backup.rules
Executing: iptables-save > /etc/sysconfig/iptables
Firewall initialized successfully.
Current INPUT Chain Rules:
=========================
Executing: iptables -L INPUT -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:62201
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Firewall Port Manager
====================
1. Initialize firewall (WARNING: Clears existing rules)
2. List current rules
3. Add port rule
4. Delete rule
0. Exit
====================
Select option: 0
Exiting...
提示
- 如果有不需要敲门即可访问的端口,请选择
1,然后选择Configure additional ports to open,以添加需要打开的端口。如果防火墙已经初始化,可以使用3添加额外的开放端口或4删除不�需要打开的端口。 - 修改iptables规则的上述命令将会产生永久的变化,这些变化在服务器重启后仍然有效。
- 如果您不确定fwknop是否有效,请在初始化时将ssh端口添加到开放端口中。完成测试和验证后,从规则中删除它。
3. 编辑access.conf配置
$ sudo vim /etc/fwknop/access.conf
#### fwknopd access.conf stanzas ###
SOURCE ANY
OPEN_PORTS tcp/80,tcp/22
# Auto-generated by RPM install on 2025-05-28 03:32:02OURCE
KEY_BASE64 OHIgcH5Y4Lxz1NqeJaIKe3gmkXazgOoJ1OnXKsmejnw=
# Auto-generated by RPM install on 2025-05-28 03:32:02OURCE
HMAC_KEY_BASE64 h339j/t6kw109gZbp/NOHSlyiB7NcPg2iscNuqxySKL8KNzcg4gaNWt9xnvrno18+0HrJI/n1S6giPCQgdef5w==
REQUIRE_SOURCE_ADDRESS N
REQUIRE_USERNAME fwknop
提示
如果您想修改KEY_BASE64和HMAC_KEY_BASE64,请执行fwknopd --key-gen以生成新的密钥,然后使用该密钥替换文件中的密钥。
4. 启动fwknopd服务
$ sudo systemctl start fwknopd
5. 检查fwknopd状态
$ sudo systemctl status fwknopd
systemctl status fwknopd
● fwknopd.service - LSB: start and stop fwknopd
Loaded: loaded (/etc/rc.d/init.d/fwknopd; bad; vendor preset: disabled)
Active: active (running) since Wed 2025-06-04 07:27:10 UTC; 2s ago
Docs: man:systemd-sysv-generator(8)
Process: 16704 ExecStart=/etc/rc.d/init.d/fwknopd start (code=exited, status=0/SUCCESS)
Tasks: 1
Memory: 1012.0K
CGroup: /system.slice/fwknopd.service
└─16711 fwknopd
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: 'filter' table 'FWKNOP_INPUT' chain exists
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: create_chain() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT' (r...rr: )
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: rule_exists_chk_support() CMD: '/sbin/iptables -C INPUT -t filter...ame.)
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in I...exist
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: jump_rule_exists_chk_support() jump rule not found
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKN...rr: )
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: comment_match_exists() CMD: '/sbin/iptables -t filter -I INPUT 1 ...rr: )
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: iptables 'comment' match is available
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: Kicking off UDP server to listen on port 62201.
提示
Active: active (running) 表示fwknopd已成功启动
6. 显示fwknop client的二维码
$ sudo fwknopd --qr
SPA_SERVER_PROTO:udp SPA_SERVER_PORT:62201 ALLOW_IP:resolve ACCESS:tcp/80,tcp/22 SPA_SERVER: KEY_BASE64:OHIgcH5Y4Lxz1NqeJaIKe3gmkXazgOoJ1OnXKsmejnw= HMAC_KEY_BASE64:h339j/t6kw109gZbp/NOHSlyiB7NcPg2iscNuqxySKL8KNzcg4gaNWt9xnvrno18+0HrJI/n1S6giPCQgdef5w== USE_HMAC:Y SPOOF_USER:fwknop FW_TIMEOUT:60
提示
通过安装手机端的fwknop client可以通过扫码快速配置