6.2.2.1.4. Network Filters Example: Port Knocking

6.2.2.1.4. Network Filters Example: Port Knocking
Prev	6.2.2.1. Example: Linux Packet Filter	Next

> cat /etc/sysconfig/iptables
*filter

...

# Rules to dispatch between port knock state machine states
# INSTEP1 to INSTEP3 are (arbitrary) names of address lists
-A INPUT -m recent --name INSTEP3 --rcheck -j STEP3
-A INPUT -m recent --name INSTEP2 --rcheck -j STEP2
-A INPUT -m recent --name INSTEP1 --rcheck -j STEP1
-A INPUT -j STEP0

# Machine state STEP0
# Jump to STEP1 if first knock comes, otherwise discard and stay in STEP0
-A STEP0 -p udp --dport 1111 -m recent --name INSTEP1 --set -j REJECT
-A STEP0 -j REJECT

# Machine state STEP1
# Jump to STEP2 if second knock comes, otherwise jump to STEP0
-A STEP1 -m recent --name INSTEP1 --remove
-A STEP1 -p udp --dport 2222 -m recent --name INSTEP2 --set -j REJECT
-A STEP1 -j STEP0

# Machine state STEP2
# Jump to STEP3 if third knock comes, otherwise jump to STEP0
-A STEP2 -m recent --name INSTEP2 --remove
-A STEP2 -p udp --dport 3333 -m recent --name INSTEP3 --set -j REJECT
-A STEP2 -j STEP0

# Machine state STEP3
# Accept one SSH connection attempt, otherwise jump to STEP0
-A STEP3 -m recent --name INSTEP3 --remove
-A STEP3 -p tcp --dport ssh -j ACCEPT
-A STEP3 -j STEP0

COMMIT

Example adjusted from literature, see references.

Prev	Up	Next
6.2.2.1.3. Network Filters Example: Router	Home	6.2.3. Example: Linux Packet Scheduling