Hi,
Unless you are doing this to learn Shorewall's internals, such an approach
doesn't sound to me as the best one. There are daemons available for Linux
which implement port-knocking with libpcap, completely bypassing iptables. I
believe this solution would be more convenient to deploy.
Robert Kawecki
----- Reply message -----
Od: "brent timothy saner" <[email protected]>
Do: <[email protected]>
Temat: [Shorewall-users] Extended Portknocking
Data: śr., kwi 13, 2011 23:16
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, all!
I'm currently trying to implement a sequential portknocking.
I've already read through the thread in the archives[0], the Shorewall
portknocking guide[1](ipt_recent is enabled, etc.), the Shorewall
actions guide[2] (though, admittedly, a good portion of it went over my
head). I can't seem to get sequential portknocking working- in other
words, I want to have portA knocked to open portB, which will open
portC, and when portC is knocked then 22/TCP will be opened. there are
also two "trap ports" which close off 22/TCP, one below 22/TCP and one
above the knocking ports, in attempt to protect against portscanning.
I've created the empty action.SSHKnock file, and these are the
contents[3] of SSHKnock (scrubbed of the actual port numbers due to
archival and security reasons). I also am only using two knock ports
instead of three until I can figure out the general chain processing:
use Shorewall::Chains;
if ( $level ) {
log_rule_limit( $level,
$chainref,
'SSHKnock',
'ACCEPT',
'',
$tag,
'add',
'-p tcp --dport 22 -m recent --rcheck --name SSH ' );
log_rule_limit( $level,
$chainref,
'SSHKnock',
'DROP',
'',
$tag,
'add',
'-p tcp --dport ! 22 ' );
}
add_rule( $chainref, '-p tcp --dport $port1 -m recent --rcheck --seconds
3 --name SSH1 -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport $port2 -m recent --rcheck --seconds
3 --name SSH2 -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds
15 --name SSH -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport $trap1 -m recent
--name SSH --remove -j DROP' );
add_rule( $chainref, '-p tcp --dport $trap2 -m recent
--name SSH --remove -j DROP' );
add_rule( $chainref, '-p tcp --dport $port1 -m recent
--name SSH1 --set -j DROP' );
add_rule( $chainref, '-p tcp --dport $port2 -m recent
--name SSH2 --set -j DROP' );
1;
[0]
https://mail.shorewall.net/pipermail/shorewall-users/2004-August/013958.html
and associated
[1] http://www.shorewall.net/PortKnocking.html
[2] http://www.shorewall.net/Actions.html
[3] My mail client may have mangled the contents; all the "add_rule"
lines are on one line each.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mEqMACgkQ8u2Zh4MtlQpTogCfXRv2hQPuOyctypDho4ddpOyx
+0QAoJUGZaEx9vxML/uUVJC3lAcLSY1B
=tUUH
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
