On Tue, Jun 07, 2011 at 09:33:44AM -0500, Steven Buehler wrote: > We have a system that is locked down and you have to use a key to get ssh > access to it. We have employees and customers that are on dynamic IP's that > keep switching. They don't have root access. What I am trying to do is > create a script that they can log into and it will get their current IP > address and open the firewall for a specified length of time. Once open, > they would still have to use their public/private key to ssh into it. I > agree this isn't perfect, but it is better than just leaving that port open > to the world all the time. You probably want to use the "recent" module. You need to add something like this to your /etc/sysconfig/iptables: # this is necessary to allow already connected sessions -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # simple port knocking -A INPUT -p tcp -m state --state NEW -m tcp --dport 12345 -m recent --set --name remotessh --rsource -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --rcheck --seconds 300 --name remotessh --rsource -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited This is a simple "knock" that requires that you send a packet to port 12345 on the host (it doesn't matter if it fails. You could simply hit http://hostname:12345/ and it would work.) Once you've done that, you have 5 minutes (300 seconds) to connect to the SSH port. Once you've connected, all further traffic is granted by the RELATED,ESTABLISHED state rule at the top, which is probably already in your iptables rules. Any other connections are blocked. The 'recent' module publishes the currently "allowed" IPs in /proc/net/ipt_recent/remotessh (for this example in RHEL5) if you want to monitor it somehow. In newer kernels on Fedora, it's /proc/net/xt_recent/. If you're really paranoid, you can change the 2 port knocking lines above into: -A INPUT -p tcp -m state --state NEW -m tcp --dport 12344 -m recent --remove --name remotessh --rsource -A INPUT -p tcp -m state --state NEW -m tcp --dport 12345 -m recent --set --name remotessh --rsource -A INPUT -p tcp -m state --state NEW -m tcp --dport 12346 -m recent --remove --name remotessh --rsource -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --rcheck --seconds 300 --name remotessh --rsource -j ACCEPT This way, if someone port-scans the host, they won't get added to the list of allowed ports because it'll be immediately removed as the port scans are typically traversing ports incrementally. -- Jonathan Billings <jsbillin@xxxxxxxxx> College of Engineering - CAEN - Unix and Linux Support -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list