Dr. Small

You are about 1 day behind me, because I just discovered that problem and solution yesterday.

Here is the solution

Although the fwknop daemon modifies the iptables, it does it through some secondary process that doesn't conflict with any rules in place prior to running the program. The way I wrote the tutorial, I basically flushed and deleted the current ruleset, although in a working environment you would probably just want to keep your existing ruleset, and avoid this step. Basically if you have your iptables set up the way you want (through firestarter, by hand, what ever method) you can continue using these rules EXCEPT you would probably want to change port 22 (or whatever port you are using with fwknop) to a default DROP stance.

You also want to include the following within the iptables ruleset:

sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -A INPUT -i ! lo -j DROP
sudo /sbin/iptables -F FORWARD -i ! lo -j DROP
These lines for example would keep open existing connections (or forwarding connection) when for example the ssh rule set after 30 seconds (or whatever you have specified) changes from ACCEPT to DROP. That way the ssh connection will be maintained.

If you want I can extend the tutorial to work with GPG keys. I didn't include this originally because I didn't know what kind of response I was going to get. Its fairly easy to do however if you have worked with GnuPG before.

Also if you could either post or upload your changes or writeup changes you made to make this work on Arch, it would be great (or just submit them to the author directly).

Thanks, hopefully that clarifies things.