Port Forwarding via Single Packet Authorization

michaelrash writes: "Most port knocking or Single Packet Authorization implementations offer the ability to passively authenticate clients for access only to a locally running server (such as SSHD). That is, the daemon that monitors a firewall log or that sniffs the wire for port knock sequences or SPA packets can only reconfigure a local firewall to allow the client to access a local socket. For local servers, this works well enough, but suppose that you are on travel and that you ultimately want to access an SSH daemon that is running on an internal system with a non-routable IP? If the SPA software is deployed on a Linux gateway that is protecting a non-routable internal network and has a routable external IP address, it is inconvenient to first have to login to the gateway and then login to the internal system. The latest release of fwknop supports the automatic creation of iptables NAT rules to allow temporary access directly to internal systems by forwarding a connection on through the gateway system directly to an internal server. Such access is granted only after a valid SPA packet (i.e. non-replayed and encrypted either via a shared Rijndael key or via GnuPG) is passively sniffed off the wire. It is no longer necessary to login to the gateway system first and use it as a jump point for access to internal systems."