I know there are plenty of pages floating around the Internet about knock daemons that open ports in a firewall after a predefined series of ports are “knocked”. For some reason ALL the pages I found assumed that a) you want the filter in your INPUT chain, and that the INPUT chain defaulted to DROP or REJECT.
In my case, I’m defiantly not going to have a iptables firewall with a default that drops packets. Every few weeks I try out some new software and can’t be bothered with adjusting my firewall every time. All I need it to do is keep pesky people off my ssh, that’s all.
So here is a short tutorial how to set up s knock daemon with a ACCEPT default for INPUT:
/etc/knockd.conf
1 2 3 4 5 6 7 8 9 10 | [options] UseSyslog [opencloseSSH] sequence = 76:udp,123:tcp,7630:tcp,1921:udp seq_timeout = 25 tcpflags = syn,ack start_command = /sbin/iptables -I SSH-Knock 2 -s %IP% -p tcp --dport 22 --syn -j ACCEPT cmd_timeout = 20 stop_command = /sbin/iptables -D SSH-Knock -s %IP% -p tcp --dport 22 --syn -j ACCEPT |
iptables:
1 2 3 4 5 | iptables -N SSH-Knock iptables -A INPUT -p tcp --dport 22 -j SSH-Knock iptables -A SSH-Knock -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A SSH-Knock -j REJECT --reject-with icmp-port-unreachable /etc/init.d/iptables save active |