Re: new match extension to implement port knocking in one

[Eric Leblond <eric@inl.fr>]

[-- Attachment #1: Type: text/plain, Size: 1943 bytes --]

Hi,

Le mardi 24 octobre 2006 à 20:21 -0300, Luis Floreani a écrit :
> On 10/23/06, Eric Leblond <eric@inl.fr> wrote:
> >
> > Let's say port knocking is 4138 2345 4577 to open port 22
> >
> > Then just do
> > iptables -A INPUT -p tcp -m multiport --dports 4138,2345,4577,22 -j QUEUE
> >
> > Your userspace application wait for packets coming from queue, drop them
> > when they come from knocking ports (but store the knock) and accept
> > packet to port 22 if we just had a correct knocking sequence before.
> >
> > This is simple, do not use complex algorithms and should fit on all
> > small routers.
> >
> 
> The idea of having an userspace application receiving the queued
> packets from netfilter is much better than scanning firewall logs.
> 
> Actually, I see this issues in the userspace solution:
> 
> 1. (+) Could be safer to run the portknocking logic in userspace,
> rather than kernel.
> 2. It is not clear from a admin point of view that a portknocking
> system is running.
> 3. The port 22 traffic is suffering a small penalty because of
> travelling kenel->userspace->kernel before arriving to the service.

By just queuing the SYN Packets you will introduce a ridiculous delay on
this first packet. The rest of the connectio is handled by conntrack and
there is thus no differences.

> 4. There is not a single point of configuration, if you want to change
> the knock sequence for instance, you have to change the app and then
> the iptables rule.

All can be bundle in a single script. A cleaner way could be to use
ipset to specify the ports list and not to change the rules set.

> 5. question: Is there a way to set two or more different queues? to
> avoid receiving in the userspace, packets from other rules with the
> "-j QUEUE"

No, you have to use NFQUEUE to do so (which come with 2.6.14+). QUEUE is
limited to one queue.

BR,
-- 
Eric Leblond <eric@inl.fr>
INL

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 191 bytes --]