Hi,
got portknocking basicly working, currently only for ssh (of course changed ports in my config ;) )
define pkport1=123
define pkport2=234
define pkport3=345
define pkport4=456
chain PortKnock {
tcp dport $pkport1 add @candidates_ipv4 {ip saddr . $pkport2 timeout 1s}
tcp dport $pkport2 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . $pkport3 timeout 1s}
tcp dport $pkport3 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . $pkport4 timeout 1s}
tcp dport $pkport4 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr timeout 10s} log prefix "Successful v4 portknock: "
tcp dport ssh ip saddr @clients_ipv4 ct count 5 counter accept comment "ratelimited ssh"
tcp dport $guarded_ports ct state established,related counter accept
iifname $ifexternal tcp dport $guarded_ports counter reject with tcp reset
}
as far as i tested it, it opens the port (ssh) only for a short period (~5s) then closes it. so connection needs to be establishes in this short time. after closing connection port gets closed too...so far so good. imho i can increase the time with the timeout-setting, right?
how to handle ports which have no permanent traffic like http(s)? how to add the port-opening to nat-table (forwarding)?
have defined it like this (currently limited to internal interfaces by prefix "iifname != $ifwan")
fib daddr type local tcp dport https dnat to $iplxcweb:https
regards Frank
