Step-by-step guide to quickly install the fwknop server program on centos7
1. Install from rpm
$ sudo yum install https://fwknop.com/downloads/centos7/fwknop-server-2.6.11-1.el7.x86_64.rpm \
https://fwknop.com/downloads/centos7/libfko-3.0.0-1.x86_64.rpm -y
Loaded plugins: fastestmirror, ovl
Examining rpm/fwknop-server-2.6.11-1.el7.x86_64.rpm: 1:fwknop-server-2.6.11-1.el7.x86_64
Marking rpm/fwknop-server-2.6.11-1.el7.x86_64.rpm to be installed
Examining rpm/libfko-3.0.0-1.x86_64.rpm: 1:libfko-3.0.0-1.x86_64
Marking rpm/libfko-3.0.0-1.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package fwknop-server.x86_64 1:2.6.11-1.el7 will be installed
--> Processing Dependency: iptables for package: 1:fwknop-server-2.6.11-1.el7.x86_64
Loading mirror speeds from cached hostfile
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 153 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 253 kB 00:00:00
(3/4): updates/7/x86_64/primary_db | 27 MB 00:00:01
(4/4): base/7/x86_64/primary_db | 6.1 MB 00:00:01
--> Processing Dependency: libpcap for package: 1:fwknop-server-2.6.11-1.el7.x86_64
--> Processing Dependency: qrencode for package: 1:fwknop-server-2.6.11-1.el7.x86_64
--> Processing Dependency: libpcap.so.1()(64bit) for package: 1:fwknop-server-2.6.11-1.el7.x86_64
---> Package libfko.x86_64 1:3.0.0-1 will be installed
--> Running transaction check
---> Package iptables.x86_64 0:1.4.21-35.el7 will be installed
--> Processing Dependency: libnfnetlink.so.0()(64bit) for package: iptables-1.4.21-35.el7.x86_64
--> Processing Dependency: libnetfilter_conntrack.so.3()(64bit) for package: iptables-1.4.21-35.el7.x86_64
---> Package libpcap.x86_64 14:1.5.3-13.el7_9 will be installed
---> Package qrencode.x86_64 0:3.4.1-3.el7 will be installed
--> Processing Dependency: libpng15.so.15(PNG15_0)(64bit) for package: qrencode-3.4.1-3.el7.x86_64
--> Processing Dependency: libpng15.so.15()(64bit) for package: qrencode-3.4.1-3.el7.x86_64
--> Running transaction check
---> Package libnetfilter_conntrack.x86_64 0:1.0.6-1.el7_3 will be installed
--> Processing Dependency: libmnl.so.0(LIBMNL_1.1)(64bit) for package: libnetfilter_conntrack-1.0.6-1.el7_3.x86_64
--> Processing Dependency: libmnl.so.0(LIBMNL_1.0)(64bit) for package: libnetfilter_conntrack-1.0.6-1.el7_3.x86_64
--> Processing Dependency: libmnl.so.0()(64bit) for package: libnetfilter_conntrack-1.0.6-1.el7_3.x86_64
---> Package libnfnetlink.x86_64 0:1.0.1-4.el7 will be installed
---> Package libpng.x86_64 2:1.5.13-8.el7 will be installed
--> Running transaction check
---> Package libmnl.x86_64 0:1.0.3-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================================
Installing:
fwknop-server x86_64 1:2.6.11-1.el7 /fwknop-server-2.6.11-1.el7.x86_64 190 k
libfko x86_64 1:3.0.0-1 /libfko-3.0.0-1.x86_64 244 k
Installing for dependencies:
iptables x86_64 1.4.21-35.el7 base 432 k
libmnl x86_64 1.0.3-7.el7 base 23 k
libnetfilter_conntrack x86_64 1.0.6-1.el7_3 base 55 k
libnfnetlink x86_64 1.0.1-4.el7 base 26 k
libpcap x86_64 14:1.5.3-13.el7_9 updates 139 k
libpng x86_64 2:1.5.13-8.el7 base 213 k
qrencode x86_64 3.4.1-3.el7 base 19 k
Transaction Summary
=====================================================================================================================================
Install 2 Packages (+7 Dependent packages)
Total size: 1.3 M
Total download size: 907 k
Installed size: 3.1 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/libmnl-1.0.3-7.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for libmnl-1.0.3-7.el7.x86_64.rpm is not installed
(1/7): libmnl-1.0.3-7.el7.x86_64.rpm | 23 kB 00:00:00
(2/7): libnetfilter_conntrack-1.0.6-1.el7_3.x86_64.rpm | 55 kB 00:00:00
(3/7): iptables-1.4.21-35.el7.x86_64.rpm | 432 kB 00:00:00
(4/7): libnfnetlink-1.0.1-4.el7.x86_64.rpm | 26 kB 00:00:00
(5/7): libpng-1.5.13-8.el7.x86_64.rpm | 213 kB 00:00:00
(6/7): qrencode-3.4.1-3.el7.x86_64.rpm | 19 kB 00:00:00
Public key for libpcap-1.5.3-13.el7_9.x86_64.rpm is not installed===========================- ] 0.0 B/s | 768 kB --:--:-- ETA
(7/7): libpcap-1.5.3-13.el7_9.x86_64.rpm | 139 kB 00:00:00
-------------------------------------------------------------------------------------------------------------------------------------
Total 739 kB/s | 907 kB 00:00:01
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-9.2009.0.el7.centos.x86_64 (@CentOS)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libnfnetlink-1.0.1-4.el7.x86_64 1/9
Installing : 1:libfko-3.0.0-1.x86_64 2/9
Installing : 2:libpng-1.5.13-8.el7.x86_64 3/9
Installing : qrencode-3.4.1-3.el7.x86_64 4/9
Installing : libmnl-1.0.3-7.el7.x86_64 5/9
Installing : libnetfilter_conntrack-1.0.6-1.el7_3.x86_64 6/9
Installing : iptables-1.4.21-35.el7.x86_64 7/9
Installing : 14:libpcap-1.5.3-13.el7_9.x86_64 8/9
Installing : 1:fwknop-server-2.6.11-1.el7.x86_64 9/9
Verifying : 1:fwknop-server-2.6.11-1.el7.x86_64 1/9
Verifying : 14:libpcap-1.5.3-13.el7_9.x86_64 2/9
Verifying : libnfnetlink-1.0.1-4.el7.x86_64 3/9
Verifying : libmnl-1.0.3-7.el7.x86_64 4/9
Verifying : qrencode-3.4.1-3.el7.x86_64 5/9
Verifying : libnetfilter_conntrack-1.0.6-1.el7_3.x86_64 6/9
Verifying : 2:libpng-1.5.13-8.el7.x86_64 7/9
Verifying : 1:libfko-3.0.0-1.x86_64 8/9
Verifying : iptables-1.4.21-35.el7.x86_64 9/9
Installed:
fwknop-server.x86_64 1:2.6.11-1.el7 libfko.x86_64 1:3.0.0-1
Dependency Installed:
iptables.x86_64 0:1.4.21-35.el7 libmnl.x86_64 0:1.0.3-7.el7 libnetfilter_conntrack.x86_64 0:1.0.6-1.el7_3
libnfnetlink.x86_64 0:1.0.1-4.el7 libpcap.x86_64 14:1.5.3-13.el7_9 libpng.x86_64 2:1.5.13-8.el7
qrencode.x86_64 0:3.4.1-3.el7
Complete!
tip
- After executing the above command, iptables and related dependencies will be automatically installed
- fwknopd.conf and access.conf will be automatically generated in /etc/fwknop
- After installation, a stanza opening ports 80 and 22 will be generated in access.conf, and KEY_BASE64 and HMAC_KEY_BASE64 are randomly generated and can be safely used
- If you encounter the
Could not resolve host: mirrorlist.centos.org; Unknown errorissue, please execute the following command
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*.repo && \
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*.repo
- This rpm package adds the
--qrand--fw-consolecommands, and the specific code can be found at GitHub
2. Initialize iptables
$ sudo fwknopd --fw-console
Firewall Port Manager
====================
1. Initialize firewall (WARNING: Clears existing rules)
2. List current rules
3. Add port rule
4. Delete rule
0. Exit
====================
Select option: 1
Firewall Initialization
======================
WARNING: This will reset ALL firewall rules!
Recommended: Have physical console access or
a secondary SSH session open as backup.
Continue? (y/n): y
Configure additional ports to open (y/n)? y
The udp port 62201 listened to by fwknop will be added to the firewall rules.
Enter ports to open (protocol port, e.g., 'tcp 22' or 'udp 53')
Enter 'done' when finished (max 20 ports):
Port 2 (format 'proto port' or 'done'): tcp 22
Port 3 (format 'proto port' or 'done'): done
Validating rules file...
Executing: iptables-save > /tmp/iptables_backup.rules
Executing: iptables-save > /etc/sysconfig/iptables
Firewall initialized successfully.
Current INPUT Chain Rules:
=========================
Executing: iptables -L INPUT -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:62201
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Firewall Port Manager
====================
1. Initialize firewall (WARNING: Clears existing rules)
2. List current rules
3. Add port rule
4. Delete rule
0. Exit
====================
Select option: 0
Exiting...
tip
- If there are ports that do not require a knock to access, please select
1and then chooseConfigure additional ports to opento add the ports that need to be opened. If the firewall has already been initialized, you can use3to add additional open ports or4to delete ports that do not need to be opened. - The above commands modifying the iptables rules will make permanent changes, which will still be effective after the server restarts
- If you are unsure whether fwknop is effective, please add the ssh port to the open ports during initialization. After completing the test and verification, remove it from the rules.
3. Edit access.conf configuration
$ sudo vim /etc/fwknop/access.conf
#### fwknopd access.conf stanzas ###
SOURCE ANY
OPEN_PORTS tcp/80,tcp/22
# Auto-generated by RPM install on 2025-05-28 03:32:02OURCE
KEY_BASE64 OHIgcH5Y4Lxz1NqeJaIKe3gmkXazgOoJ1OnXKsmejnw=
# Auto-generated by RPM install on 2025-05-28 03:32:02OURCE
HMAC_KEY_BASE64 h339j/t6kw109gZbp/NOHSlyiB7NcPg2iscNuqxySKL8KNzcg4gaNWt9xnvrno18+0HrJI/n1S6giPCQgdef5w==
REQUIRE_SOURCE_ADDRESS N
REQUIRE_USERNAME fwknop
tip
If you want to modify the KEY_BASE64 and HMAC_KEY_BASE64, please execute fwknopd --key-gen to generate a new key, and use this key to replace the key in the file.
4. Start the fwknopd service
$ sudo systemctl start fwknopd
5. Check the fwknopd status
$ sudo systemctl status fwknopd
systemctl status fwknopd
● fwknopd.service - LSB: start and stop fwknopd
Loaded: loaded (/etc/rc.d/init.d/fwknopd; bad; vendor preset: disabled)
Active: active (running) since Wed 2025-06-04 07:27:10 UTC; 2s ago
Docs: man:systemd-sysv-generator(8)
Process: 16704 ExecStart=/etc/rc.d/init.d/fwknopd start (code=exited, status=0/SUCCESS)
Tasks: 1
Memory: 1012.0K
CGroup: /system.slice/fwknopd.service
└─16711 fwknopd
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: 'filter' table 'FWKNOP_INPUT' chain exists
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: create_chain() CMD: '/sbin/iptables -t filter -N FWKNOP_INPUT' (r...rr: )
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: rule_exists_chk_support() CMD: '/sbin/iptables -C INPUT -t filter...ame.)
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: rule_exists_chk_support() Rule : '-t filter -j FWKNOP_INPUT' in I...exist
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: jump_rule_exists_chk_support() jump rule not found
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: add_jump_rule() CMD: '/sbin/iptables -t filter -I INPUT 1 -j FWKN...rr: )
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: comment_match_exists() CMD: '/sbin/iptables -t filter -I INPUT 1 ...rr: )
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: iptables 'comment' match is available
Jun 04 07:27:10 fwknop-001 fwknopd[16711]: Kicking off UDP server to listen on port 62201.
tip
Active: active (running) indicates that fwknopd has started successfully
6. Show the qrcode for fwknop client
$ sudo fwknopd --qr
SPA_SERVER_PROTO:udp SPA_SERVER_PORT:62201 ALLOW_IP:resolve ACCESS:tcp/80,tcp/22 SPA_SERVER: KEY_BASE64:OHIgcH5Y4Lxz1NqeJaIKe3gmkXazgOoJ1OnXKsmejnw= HMAC_KEY_BASE64:h339j/t6kw109gZbp/NOHSlyiB7NcPg2iscNuqxySKL8KNzcg4gaNWt9xnvrno18+0HrJI/n1S6giPCQgdef5w== USE_HMAC:Y SPOOF_USER:fwknop FW_TIMEOUT:60
tip
By installing the fwknop client on your mobile device, you can quickly configure through scanning.