Last Updated: February 25, 2016

Knock my Port!

Have you ever wonder how to do like in secret agent movies : they knock the door with a secret sequence and the door opens! You can do it with your server too! (or RasPi ;)

Prepare your firewall

edit /etc/iptables.test.rules

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept local network traffic, change your home network if needed
-A INPUT -s 192.168.1.1/8 -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
#-A INPUT -p tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
#-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Activate these new rules:

iptables-restore < /etc/iptables.test.rules

Once you are happy, save the new rules to the master iptables file:

iptables-save > /etc/iptables.up.rules

To activate these rules on boot, edit /etc/network/if-pre-up.d/iptables

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

chmod +x /etc/network/if-pre-up.d/iptables

Setup Knockd on the server

apt-get install knockd

And put that in /etc/knockd.conf

[options]
    UseSyslog

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 5
    command     = /sbin/iptables -D INPUT -j REJECT;/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT;/sbin/iptables -A INPUT -j REJECT;
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 5
    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

Set it to start at boot, edit /etc/default/knockd

(...)
START_KNOCKD=1
(...)

And start the daemon :

/etc/init.d/knockd start

Knock your port :

Watch iptables from your server :

watch iptables -L

Knock the door of your server from your workstation TocTocToc :

wget http://www.zeroflux.org/proj/knock/files/knock-macos.tar.gz
tar xvzf knock-macos.tar.gz
server_ip=...
username=...
./knock $server_ip 7000 8000 9000 #open your ssh port
ssh $username@$server_ip
./knock $server_ip 9000 8000 7000 #close your ssh port

and enjoy!

For other clients, check this page : http://www.zeroflux.org/projects/knock/

Setup your router

Don’t forget to let your router give access to your ssh port and the one used for knocking.

Security concern

I advise you to drop the packets on the router side, and also on your firewall (iptables). If not, it’s quiet easy, based on the response packet to see the ports opened, and try them in different order (based on the response, mac adress..). If you know how to drop packets on your firewall, you can share it with me on the comments.

But your ssh is well protected with an own generated key, and doesn’t allow password authentication, right?