Port knocking

From Notes_Wiki

Home > CentOS > CentOS 6.x > Iptables configuration > Port knocking

We can use iptables for port knocking. In we configure port knocking then client should first try to access selected ports (which are closed) in pre-defined order in order for some other port to be available for limited time duration. For example, we can configure iptables so that client should access ports 100, 200, 300 and 400 in same order so that he/she can ssh to given machine within next 60 seconds. A sample port knocking enabled complete iptables configuration is: 

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2147:437568]
:INTO-PHASE1 - [0:0]
:INTO-PHASE2 - [0:0]
:INTO-PHASE3 - [0:0]
:INTO-PHASE4 - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 100 -j INTO-PHASE1 
-A INPUT -p tcp -m tcp --dport 200 -m recent --rcheck --name PHASE1 --rsource -j INTO-PHASE2 
-A INPUT -p tcp -m tcp --dport 300 -m recent --rcheck --name PHASE2 --rsource -j INTO-PHASE3 
-A INPUT -p tcp -m tcp --dport 400 -m recent --rcheck --name PHASE3 --rsource -j INTO-PHASE4 
-A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 60 --name PHASE4 --rsource -j ACCEPT 
-A INTO-PHASE1 -m recent --remove --name PHASE2 --rsource 
-A INTO-PHASE1 -m recent --remove --name PHASE3 --rsource 
-A INTO-PHASE1 -m recent --remove --name PHASE4 --rsource 
-A INTO-PHASE1 -m recent --set --name PHASE1 --rsource 
-A INTO-PHASE1 -j LOG --log-prefix "INTO PHASE1: " 
-A INTO-PHASE2 -m recent --remove --name PHASE1 --rsource 
-A INTO-PHASE2 -m recent --set --name PHASE2 --rsource 
-A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: " 
-A INTO-PHASE3 -m recent --remove --name PHASE2 --rsource 
-A INTO-PHASE3 -m recent --set --name PHASE3 --rsource 
-A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: " 
-A INTO-PHASE4 -m recent --remove --name PHASE3 --rsource 
-A INTO-PHASE4 -m recent --set --name PHASE4 --rsource 
-A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: " 
-A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "denied_connection_attempt_"
-A INPUT -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -j REJECT --reject-with icmp-port-unreachable 
COMMIT

The above steps have been learned from http://www.debian-administration.org/articles/268


Home > CentOS > CentOS 6.x > Iptables configuration > Port knocking

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Port_knocking&oldid=6549"