% rpmbuild --rebuild knock-0.5-4.src.rpm
% cd /usr/src/redhat/RPMS/i386/
% rpm -i knock-0.5-4.i386.rpm
I tried a single port knock and it didn't work for me. It turns out that the state machine implemented expects at least 2 packets to match while in this example I want a knock on port 7000 to allow me to open the protected_port. I had to configure /etc/knockd.conf to have 7000 twice in my configuration.
[ProtectSvc]
sequence = 7000,7000
seq_timeout = 15
tcpflags = syn
start_command = /sbin/iptables -A INPUT -i eth0 -s %IP% -p tcp
-m tcp --dport-m state --state NEW -j ACCEPT
cmd_timeout = 30
stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp
-m tcp --dport-m state --state NEW -j ACCEPT
now if I telnet to the port 7000 then after 2 syn packets the start_command executes adding the iptables rule leaving me with a 30 second window to do a connect to the service running on the Protected_port. After 30 seconds stop_command shall execute closing the window. I needed to have the following rule in my iptables
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
to allow established connection to continue even though the stop_command removed the rule from iptables.
No comments:
Post a Comment