Portkocking Multiple Ports With Shorewall

From Wiki of H. Kurth Bemis
Jump to navigation Jump to search
  1. Install Shorewall
    sudo apt-get install shorewall
  2. Create an empty file in /etc/shorewall/actions.SSHKnock
  3. Add 'SSHKnock' to the /etc/shorewall/actions (creating it if it does not exist.)
  4. Add a line to your /etc/shorewall/rules file. It is important to note that the order of the ports is backwards here, starting with the final port and ending with the first to be knocked.
    SSHKnock         net               $FW            tcp         22,1500,2000
  5. And add the following in your /etc/shorewall/SSHKnock <syntaxhighlight lang="perl"> use Shorewall::Chains; if ( $level ) { log_rule_limit( $level, $chainref, 'SSHKnock', 'ACCEPT', , $tag, 'add', '-p tcp --dport 22 -m recent --rcheck --name KNOCK_1 ' ); log_rule_limit( $level, $chainref, 'SSHKnock', 'DROP', , $tag, 'add', '-p tcp ! --dport 22 ' ); }
    1. Define a chain (with the name assigned by shorewall) containing the knock
    my $knock_second = 'KNOCK_2'; my $chainref_second = new_manual_chain($knock_second); add_rule($chainref_second, '-m recent --name KNOCK_1 --remove'); add_rule($chainref_second, '-m recent --name KNOCK_2 --set'); add_rule( $chainref, '-m recent --update --name KNOCK_1' ); add_rule( $chainref, '-p tcp --dport 2000 -m recent --set --name KNOCK_1' ); add_rule( $chainref, "-p tcp --dport 1500 -m recent --rcheck --name KNOCK_1 -j $chainref_second->{name}" ); add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name KNOCK_2 -j ACCEPT' ); 1; </syntaxhighlight>
  6. Restart Shorewall and roll. On the client side I like to user a little script to help me connect without having to knock manually. <syntaxhighlight lang="bash">
    1. !/bin/bash
    echo "Knocking first port" /bin/nc -w 1 watchtower.kommun-it.org 2000 echo "Knocking second port" /bin/nc -w 1 watchtower.kommun-it.org 1500 echo "Ready for SSH connections. You have 60 seconds" </syntaxhighlight>