On Wed, Apr 13, 2011 at 11:16 PM, brent timothy saner <[email protected]
> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello, all!
>
> I'm currently trying to implement a sequential portknocking.
> I've already read through the thread in the archives[0], the Shorewall
> portknocking guide[1](ipt_recent is enabled, etc.), the Shorewall
> actions guide[2] (though, admittedly, a good portion of it went over my
> head). I can't seem to get sequential portknocking working- in other
> words, I want to have portA knocked to open portB, which will open
> portC, and when portC is knocked then 22/TCP will be opened. there are
> also two "trap ports" which close off 22/TCP, one below 22/TCP and one
> above the knocking ports, in attempt to protect against portscanning.
>
> I've created the empty action.SSHKnock file, and these are the
> contents[3] of SSHKnock (scrubbed of the actual port numbers due to
> archival and security reasons). I also am only using two knock ports
> instead of three until I can figure out the general chain processing:
>
Maybe this will help you:
use Shorewall::Chains;
if ( $level ) {
log_rule_limit( $level,
$chainref,
'SSHKnock',
'ACCEPT',
'',
$tag,
'add',
'-p tcp --dport 22 -m recent --rcheck --name KNOCK1 '
);
log_rule_limit( $level,
$chainref,
'SSHKnock',
'DROP',
'',
$tag,
'add',
'-p tcp ! --dport 22 ' );
}
# Define a chain (with the name assigned by shorewall) containing the knock
my $name_knock_second = 'KNOCK2';
my $chainref_second = new_manual_chain( $name_knock_second );
add_rule( $chainref_second, '-m recent --name KNOCK1 --remove' );
add_rule( $chainref_second, '-m recent --name KNOCK2 --set' );
# ... Here define as many knocks as you like
my $name_knock_third = 'KNOCK3';
my $chainref_third = new_manual_chain( $name_knock_third );
add_rule( $chainref_third, '-m recent --name KNOCK2 --remove' );
add_rule( $chainref_third, '-m recent --name KNOCK3 --set' );
# Once again, the first knock
add_rule( $chainref, '-m recent --update --name KNOCK1' );
# Define actions for knock
add_rule( $chainref, '-p tcp --dport 1111 -m recent --set --name KNOCK1' );
add_rule( $chainref, "-p tcp --dport 3333 -m recent --rcheck --name KNOCK1
-j $chainref_second->{name}" );
add_rule( $chainref, "-p tcp --dport 2222 -m recent --rcheck --name KNOCK2
-j $chainref_third->{name}" );
# Who completes the sequence, will have access to the port for 60 seconds
add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60
--name KNOCK3 -j ACCEPT' );
1;
Regards,
Vlado
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
