port knocking using recent module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear list,

I am testing port knocking implemented with the "recent" module. All
works well, I was wondering if I could somehow modify the rules
(below), so that by knocking from host_A, the ssh port would open for
host_B. One possibility is to fake the source IP while port knocking
(hping3 -p 100 -a $HOST_2 11.22.33.44). That works, but I would prefer
to implement this using iptables.

 -A INPUT -p icmp -j ACCEPT
 -A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 -A INPUT -m recent --rcheck --seconds 60 --hitcount 3 --name RATE_LIMIT -j DROP

 -A INPUT -m recent --rcheck --seconds 5 --name KNOCK3 --rsource -j STATE3
 -A INPUT -m recent --rcheck --seconds 5 --name KNOCK2 --rsource -j STATE2
 -A INPUT -m recent --rcheck --seconds 5 --name KNOCK1 --rsource -j STATE1

 -A INPUT -m recent --remove --name KNOCK1 --rsource
 -A INPUT -m recent --remove --name KNOCK2 --rsource
 -A INPUT -m recent --remove --name KNOCK3 --rsource
 -A INPUT -p tcp -m tcp --dport 100 -m recent --set --name KNOCK1
--rsource -j DROP
 -A INPUT -m recent --set --name RATE_LIMIT --rsource -j DROP
 -A INPUT -j DROP

 -A STATE1 -m recent --remove --name KNOCK1 --rsource
 -A STATE1 -m recent --remove --name KNOCK2 --rsource
 -A STATE1 -m recent --remove --name KNOCK3 --rsource
 -A STATE1 -p tcp -m tcp --dport 200 -m recent --set --name KNOCK2
--rsource -j DROP
 -A STATE1 -m recent --set --name RATE_LIMIT --rsource -j DROP
 -A STATE1 -j DROP

 -A STATE2 -m recent --remove --name KNOCK1 --rsource
 -A STATE2 -m recent --remove --name KNOCK2 --rsource
 -A STATE2 -m recent --remove --name KNOCK3 --rsource
 -A STATE2 -p tcp -m tcp --dport 300 -m recent --set --name KNOCK3
--rsource -j DROP
 -A STATE2 -m recent --set --name RATE_LIMIT --rsource -j DROP
 -A STATE2 -j DROP

 -A STATE3 -m recent --remove --name KNOCK1 --rsource
 -A STATE3 -m recent --remove --name KNOCK2 --rsource
 -A STATE3 -m recent --remove --name KNOCK3 --rsource
 -A STATE3 -p tcp -m tcp --dport 22 -j ACCEPT
 -A STATE3 -m recent --set --name RATE_LIMIT --rsource -j DROP
 -A STATE3 -j DROP
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux