-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/14/11 03:00, Vlado Peshov wrote: > On Wed, Apr 13, 2011 at 11:16 PM, brent timothy saner > <[email protected] <mailto:[email protected]>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, all! > > I'm currently trying to implement a sequential portknocking. > I've already read through the thread in the archives[0], the Shorewall > portknocking guide[1](ipt_recent is enabled, etc.), the Shorewall > actions guide[2] (though, admittedly, a good portion of it went over my > head). I can't seem to get sequential portknocking working- in other > words, I want to have portA knocked to open portB, which will open > portC, and when portC is knocked then 22/TCP will be opened. there are > also two "trap ports" which close off 22/TCP, one below 22/TCP and one > above the knocking ports, in attempt to protect against portscanning. > > I've created the empty action.SSHKnock file, and these are the > contents[3] of SSHKnock (scrubbed of the actual port numbers due to > archival and security reasons). I also am only using two knock ports > instead of three until I can figure out the general chain processing: > > > Maybe this will help you: > > use Shorewall::Chains; > > if ( $level ) { > log_rule_limit( $level, > $chainref, > 'SSHKnock', > 'ACCEPT', > '', > $tag, > 'add', > '-p tcp --dport 22 -m recent --rcheck --name > KNOCK1 ' ); > > log_rule_limit( $level, > $chainref, > 'SSHKnock', > 'DROP', > '', > $tag, > 'add', > '-p tcp ! --dport 22 ' ); > } > > # Define a chain (with the name assigned by shorewall) containing the knock > my $name_knock_second = 'KNOCK2'; > my $chainref_second = new_manual_chain( $name_knock_second ); > add_rule( $chainref_second, '-m recent --name KNOCK1 --remove' ); > add_rule( $chainref_second, '-m recent --name KNOCK2 --set' ); > > # ... Here define as many knocks as you like > my $name_knock_third = 'KNOCK3'; > my $chainref_third = new_manual_chain( $name_knock_third ); > add_rule( $chainref_third, '-m recent --name KNOCK2 --remove' ); > add_rule( $chainref_third, '-m recent --name KNOCK3 --set' ); > > # Once again, the first knock > add_rule( $chainref, '-m recent --update --name KNOCK1' ); > > # Define actions for knock > add_rule( $chainref, '-p tcp --dport 1111 -m recent --set --name KNOCK1' ); > add_rule( $chainref, "-p tcp --dport 3333 -m recent --rcheck --name > KNOCK1 -j $chainref_second->{name}" ); > add_rule( $chainref, "-p tcp --dport 2222 -m recent --rcheck --name > KNOCK2 -j $chainref_third->{name}" ); > > # Who completes the sequence, will have access to the port for 60 seconds > add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 > --name KNOCK3 -j ACCEPT' ); > > 1; > > Regards, > Vlado
Vlado- I'll give this a shot; THANK YOU ahead of time whether it works or not; I think this was just what I needed to get a swift start in the direction I need to go. I think I just needed some template to put two and two together. I'll let you know how it turns out. :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2mq+4ACgkQ8u2Zh4MtlQq4GgCZAaOsdMexGiw57jYiqGI9q3Ju wAgAn0TxQhpuUf1Pyz3Yj403cMiB9/ob =VPv3 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
