sudo apt install fwknop-server sudo apt install vim mkdir spa sudo mv /etc/fwknop/access.conf spa/ sudo vim /etc/fwknop/access.conf # access.conf SOURCE ANY OPEN_PORTS udp/1194 DATA_COLLECT_MODE PCAP FW_ACCESS_TIMEOUT 120 KEY testkeyphrase HMAC_KEY_BASE64 oj+ws+7QAX9tbUNhdbqvcr5yVZeiD9y/UdFUneaLEgOsbqSph0XlAmLdnl9/hF2CGFHa9aq3JC3aiVBcymwNfg== REQUIRE_SOURCE_ADDRESS Y ## sudo vim /etc/fwknop/fwknopd.conf # fwknopd.conf PCAP_INTF enp0s3; PCAP_FILTER udp port 62202; # fwknop.conf for NAT PCAP_INTF enp0s3; PCAP_FILTER udp port 62202; ENABLE_IPT_FORWARDING Y; FIREWD_FORWARD_ACCESS ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1; # reset.sh sudo iptables -D INPUT -p udp --dport 1194 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -D INPUT -p udp --dport 1194 -j DROP sudo iptables -D INPUT -p tcp --dport 443 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -D INPUT -p tcp --dport 443 -j DROP sudo iptables -I INPUT 2 -p udp --dport 1194 -j DROP sudo iptables -I INPUT 2 -p udp --dport 1194 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -I INPUT 2 -p tcp --dport 443 -j DROP sudo iptables -I INPUT 2 -p tcp --dport 443 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ## fwknop server sudo fwknopd -f -v # kali client ## install sudo apt-get install fwknop-client cd ~ wget https://www.dropbox.com/s/ag3azrrguermlhy/.fwknoprc?dl=0 -O .fwknoprc chmod 0600 .fwknoprc ## send spa fwknop -n dod -R ## misc sudo iptables -I INPUT 1 -i enp0s3 -p tcp --dport 443 -j DROP sudo iptables -I INPUT 1 -i enp0s3 -p udp --dport 1194 -j DROP sudo iptables -S sudo iptables -I INPUT 2 -i enp0s3 -p udp --dport 1194 -j DROP sudo iptables -I INPUT 2 -i enp0s3 -p udp --dport 1194 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -I INPUT 2 -i enp0s3 -p tcp --dport 443 -j DROP sudo iptables -I INPUT 2 -i enp0s3 -p tcp --dport 443 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo fwknopd -f -v sudo iptables -D INPUT -i enp0s3 -p udp --dport 1194 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -D INPUT -i enp0s3 -p udp --dport 1194 -j DROP sudo iptables -D INPUT -i enp0s3 -p tcp --dport 443 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -D INPUT -i enp0s3 -p tcp --dport 443 -j DROP sudo iptables -L -n sudo iptables -D INPUT -p udp --dport 1194 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -D INPUT -p udp --dport 1194 -j DROP sudo iptables -D INPUT -p tcp --dport 443 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -D INPUT -p tcp --dport 443 -j DROP ## time sync chronyd -q [link](https://ubuntu.com/server/docs/network-ntp) sudo iptables -I INPUT 1 -p udp --dport 1194 -j REJECT sudo iptables -I INPUT 1 -p tcp --dport 443 -j REJECT # 2 drop all sudo iptables -I INPUT 2 -j DROP sudo iptables -I INPUT 2 -i enp0s3 -p tcp --dport 443 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -I INPUT 2 -i enp0s3 -p udp --dport 1194 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Reference [1](https://ubuntuqa.com/zh-tw/article/10698.html) [2](https://ankur-a22.medium.com/creating-a-virtualbox-ubuntu-vm-and-using-iptables-to-only-allow-outgoing-requests-18b35945cbac) [3](https://www.google.com/search?q=cloned+ubuntu+vm+iptables+not+working&sxsrf=ALiCzsZdpxMlPdgU0BDWmvdvcgXkaGV6XQ%3A1657876270907&ei=Li_RYrH1NsjqwQP0sJOIAg&ved=0ahUKEwixxNWxxvr4AhVIdXAKHXTYBCEQ4dUDCA4&uact=5&oq=cloned+ubuntu+vm+iptables+not+working&gs_lcp=Cgdnd3Mtd2l6EANKBAhBGAFKBAhGGABQlwNYyhNg2BVoBXAAeACAAUeIAYMDkgEBN5gBAKABAcABAQ&sclient=gws-wiz)