The following let you in
basic firewall through sequential port knocking to open SSH access for 5 seconds:
# ----------- BEGIN OF CUSTOM RULES -----------
#
# Note: Knock ports 100,200,300,400 to open SSH port for 5 seconds.
-N INTO-PHASE2
-A INTO-PHASE2 -m recent --name PHASE1 --remove
-A INTO-PHASE2 -m recent --name PHASE2 --set
-A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: "
-A INTO-PHASE2 -j DROP
-N INTO-PHASE3
-A INTO-PHASE3 -m recent --name PHASE2 --remove
-A INTO-PHASE3 -m recent --name PHASE3 --set
-A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: "
-A INTO-PHASE3 -j DROP
-N INTO-PHASE4
-A INTO-PHASE4 -m recent --name PHASE3 --remove
-A INTO-PHASE4 -m recent --name PHASE4 --set
-A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: "
-A INTO-PHASE4 -j DROP
-A INPUT -m recent --name PHASE1 --update
-A INPUT -p tcp --dport 100 -i eth0 -m recent --set --name PHASE1
-A INPUT -p tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2
-A INPUT -p tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3
-A INPUT -p tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4
-A INPUT -p tcp --dport 22 -i eth0 -m recent --rcheck --seconds 5 --name PHASE4 -j ACCEPT
#
# ------------ END OF CUSTOM RULES ------------
If you are knocking from windows client you can use
nmap tool. Download command-line zipfile
nmap-5.21-win32.zip. Add to
knockin.cmd:
@echo off
echo Knock in... %1
nmap -PN --host_timeout 1501 --max-retries 0 -p %2 %1 1>&0 2>&0
nmap -PN --host_timeout 1501 --max-retries 0 -p %3 %1 1>&0 2>&0
nmap -PN --host_timeout 1501 --max-retries 0 -p %4 %1 1>&0 2>&0
nmap -PN --host_timeout 1501 --max-retries 0 -p %5 %1 1>&0 2>&0
Run as the following (suppose you are knocking to 192.168.1.100):
C:\Program Files\nmap-5.00>knockin.cmd 192.168.1.100 100 200 300 400
Right after you issued above command the SSH port remains open for 5 seconds. Use your favorite SSH client to login. Just in case have a look
here.
Hi ,
ReplyDeleteOne thing to Complain :( the Order of the knock sequence
doesn't matter in this setup .
if i use first the port 400 and than the other i can get acces to my Server
and even if i mix the ports i can get access to my Server
(Works even with ip6tables)
Maybe a control chain or something like that could check if the knocksequence is in the right order
But your Knock Idea with iptables is Awesome and could replace a extra program like knockd etc. with some modification perhaps..
Thank you to bring me on this way of knocking on my Havens door
greetings from Germany
MiDoX