new match extension to implement port knocking in one rule

All of lore.kernel.org
 help / color / mirror / Atom feed

* new match extension to implement port knocking in one rule
@ 2006-10-11  3:40 federikkom
  2006-10-11  5:33 ` Rennie deGraaf
  0 siblings, 1 reply; 2+ messages in thread
From: federikkom @ 2006-10-11  3:40 UTC (permalink / raw)
  To: netfilter-devel

Hi everybody, we have been working in a netfilter extension to implement port knocking in a easy way. The idea is to set everything in just one iptables rule:

for instance, if you want port knocking to allow SSH connections:

(1) the quick and easy way:

$ iptables -A INPUT -m state --state NEW -m pknock --name SSH --knockports 2002,2001,2004 -p tcp --dport 22 -j ACCEPT

after "knocking" ports 2002, 2001 and 2004 in sequence, you are allowed to connect to port 22.

We are also working in a more secure way to "knock" using hmacs:

(2) the more secure way: you knock with a UDP packet, payload containing an hmac (see the README.txt for more details)

$ iptables -A INPUT -m state --state NEW -m pknock --name SSH --knockports 2000 --opensecret <your_opensecret> --closesecret <your_closesecret> -p udp -j DROP

$ iptables -A INPUT -m state --state NEW -m pknock --name SSH --checkip -p tcp --dport 22 -j ACCEPT

The project is hosted at berlios:

http://developer.berlios.de/projects/portknocko/

and you can check the source code out here:

svn checkout svn://svn.berlios.de/portknocko/trunk

hope you like the idea!

any feedback is welcome!

regards,

Luis Aquiles Floreani and J. Federico Hernandez

__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya! 
http://www.yahoo.com.ar/respuestas

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: new match extension to implement port knocking in one rule
  2006-10-11  3:40 new match extension to implement port knocking in one rule federikkom
@ 2006-10-11  5:33 ` Rennie deGraaf
  0 siblings, 0 replies; 2+ messages in thread
From: Rennie deGraaf @ 2006-10-11  5:33 UTC (permalink / raw)
  To: federikkom; +Cc: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 553 bytes --]

federikkom wrote:
> Hi everybody, we have been working in a netfilter extension to implement port knocking in a easy way. The idea is to set everything in just one iptables rule:
> 

<snip>

If you're interested in port knocking, you might want to read this
paper:  http://www.acsac.org/2005/abstracts/156.html  It covers security
issues relating to port knocking in detail, and presents an architecture
 for solving most of them.

Full disclosure:  I wrote that paper.  Feel free to contact me if you
have questions.

Rennie deGraaf



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-10-11  5:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-11  3:40 new match extension to implement port knocking in one rule federikkom
2006-10-11  5:33 ` Rennie deGraaf

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.