Port Knocking and Other Uses of 'Recent Match'

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.

2020/02/16


Note

The techniques described in this article were superseded in Shorewall 4.5.19 with the introduction of Shorewall Events.

Note

The feature described in this article require 'Recent Match' in your iptables and kernel. See the output of shorewall show capabilities to see if you have that match.

What is Port Knocking?

Port knocking is a technique whereby attempting to connect to port A enables access to port B from that same host. For the example on which this article is based, see http://www.soloport.com/iptables.html which should be considered to be part of this documentation.

Implementing Port Knocking in Shorewall

In order to implement this solution, your iptables and kernel must support the 'recent match' extension (see FAQ 42).

In this example:

  1. Attempting to connect to port 1600 enables SSH access. Access is enabled for 60 seconds.

  2. Attempting to connect to port 1601 disables SSH access (note that in the article linked above, attempting to connect to port 1599 also disables access. This is an port scan defence as explained in the article).

To implement that approach:

  1. Add an action named SSHKnock (see the Action documentation). Leave the action.SSHKnock file empty.

  2. Create /etc/shorewall/SSHKnock with the following contents.

    use Shorewall::Chains;
    
    if ( $level ) {
        log_rule_limit( $level, 
                        $chainref, 
                        'SSHKnock',
                        'ACCEPT',
                        '',
                        $tag,
                        'add',
                        '-p tcp --dport 22   -m recent --rcheck --name SSH ' );
    
        log_rule_limit( $level,
                        $chainref,
                        'SSHKnock',
                        'DROP',
                        '',
                        $tag,
                        'add',
                        '-p tcp ! --dport 22 ' );
    }
    
    add_rule( $chainref, '-p tcp --dport 22   -m recent --rcheck --seconds 60 --name SSH          -j ACCEPT' );
    add_rule( $chainref, '-p tcp --dport 1599 -m recent                       --name SSH --remove -j DROP' );
    add_rule( $chainref, '-p tcp --dport 1600 -m recent                       --name SSH --set    -j DROP' );
    add_rule( $chainref, '-p tcp --dport 1601 -m recent                       --name SSH --remove -j DROP' );
    
    1;
  3. Now if you want to protect SSH access to the firewall from the Internet, add this rule in /etc/shorewall/rules:

    #ACTION          SOURCE            DEST           PROTO       DPORT
    SSHKnock         net               $FW            tcp         22,1599,1600,1601

    If you want to log the DROPs and ACCEPTs done by SSHKnock, you can just add a log level as in:

    #ACTION          SOURCE            DEST           PROTO       DPORT
    SSHKnock:info    net               $FW            tcp         22,1599,1600,1601
  4. Assume that you forward port 22 from external IP address 206.124.146.178 to internal system 192.168.1.5. In /etc/shorewall/rules:

    #ACTION          SOURCE            DEST            PROTO       DPORT         SPORT       ORIGDEST
    DNAT-            net               192.168.1.5     tcp         22            -           206.124.146.178
    SSHKnock         net               $FW             tcp         1599,1600,1601
    SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178

    Note

    You can use SSHKnock with DNAT on earlier releases provided that you omit the ORIGDEST entry on the second SSHKnock rule. This rule will be quite secure provided that you specify 'routefilter' on your external interface and have NULL_ROUTE_RFC1918=Yes in shorewall.conf.

For another way to implement Port Knocking, see the Manual Chain documentation.

Limiting Per-IP Connection Rate

This information has been moved to the Actions article.

Documentation


Frequently Used Articles

- FAQs - Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation


Shorewall 5.0/5.1/5.2 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shared Shorewall/Shorewall6 Configuration - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page