1

I have a working port knocking setup for SSH on Linux using only iptables rules and the “recent” module following this tutorial: https://wiki.archlinux.org/index.php/Port_knocking#Port_knocking_with_iptables_only .

Now my problem is that several networks like my work network block traffic to non-standard ports like 22, 80, 443, so I can‘t send my knock packets. On the other hand, my mobile internet allows them.

As a workaround I would like to open the SSH port whenever the correct knocking sequence is sent from any host, not just the same host.

is there some way to achieve that with iptables? E.g. I could imagine a “state switch” or global variable that can be switched on by one rule and checked by another rule. It would fall back to “off” after a timeout.

hfs
  • 135
  • You should give a try to FWknop. It is more secure than standard port knocking and you can configure such things inside it. – Jakuje Oct 30 '16 at 15:40

1 Answers1

1

I would suggest to go knockd route. It's simpler this way. Only instead of using this default config

[openSSH]
        sequence    = 7000,8000,9000
        seq_timeout = 10
        tcpflags    = syn
        command     = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

  [closeSSH]
        sequence    = 9000,8000,7000
        seq_timeout = 10
        tcpflags    = syn
        command     = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

You would use this one (Note -s %IP% removed)

[openSSH]
        sequence    = 7000,8000,9000
        seq_timeout = 10
        tcpflags    = syn
        command     = /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

  [closeSSH]
        sequence    = 9000,8000,7000
        seq_timeout = 10
        tcpflags    = syn
        command     = /usr/sbin/iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Dmitry Zayats
  • 241