August 29, 2014
 
 
RSSRSS feed

An Easy Tutorial on IP Tables and Port Knocking - page 2

Basic Preparation

  • February 4, 2008
  • By Matt Waldo

Now to secure your firewall. The YaST2 firewall is very nice except for one part. There are two types of packets that aren't treated the the same way. For every other packet, if the port is closed when it's sent to you, the firewall just eats them. To an attacker it just looks like the packets sent didn't hit anything and therefore there is no computer there.

For ICMP type 8 and IDENT packets, however, the firewall will send a response saying the port is closed and would you kindly please start attacking me because you now know someone is here. In order for the firewall to treat those packets like any other, you need to add an entry to the IP tables. open a console, su - into root, cd into /etc/sysconfig/scripts, start a text editor to open SuSEfirewall2-custom. Now, just copy and paste the following into the fw_custom_after_antispoofing() section of the document.

###################################################
#
# Start
# Rules to make the host invisible on the Internet
#
###################################################

# Setup new chain
iptables -N INVISIBLE

# Drop incoming ICMP packets
#(Note: uses $FW_DEV_EXT variable setup in main SuSEfirewall2 script)

iptables -A INVISIBLE -p icmp -i $FW_DEV_EXT -m state --state NEW -m icmp --icmp-type 8 -j DROP

# Drop identd packets from unknown hosts
iptables -A INVISIBLE -p tcp --dport 113 -m state --state NEW -j DROP

# Send the packets I want to examine further to my INVISIBLE chain
iptables -A INPUT -p icmp -i $FW_DEV_EXT -m state --state NEW -j INVISIBLE
iptables -A INPUT -p tcp --dport 113 -j INVISIBLE
###################################################
#
# End
# Rules to make the host invisible on the Internet
#
###################################################

While your at it, copy this as well and put it right under the previous code:

###################################################
#
# Start Port Knocking Configuration
#
###################################################

#Enter the 4 ports used as the port knocking combination
TOKEN1="10"
TOKEN2="20"
TOKEN3="30"
TOKEN4="40"

#Enter the port to open after successful know
OPENPORT="22"

#Enter the number of seconds the port will remain open waiting for you to connect
OPENTIMER="10"

iptables -N TOKEN1CHAIN
iptables -A TOKEN1CHAIN -m recent --name TOKEN1A --remove
iptables -A TOKEN1CHAIN -m recent --name TOKEN2A --remove
iptables -A TOKEN1CHAIN -m recent --name TOKEN3A --remove
iptables -A TOKEN1CHAIN -m recent --name TOKEN4A --remove
iptables -A TOKEN1CHAIN -m recent --name TOKEN1A --set
iptables -A TOKEN1CHAIN -m recent --name TOKEN1B --set
iptables -A TOKEN1CHAIN -j LOG --log-prefix "TOKEN1 Received: "
iptables -N PRE-TOKEN2CHAIN
iptables -A PRE-TOKEN2CHAIN -p tcp --dport $TOKEN2 -m recent --rcheck --name TOKEN1A -j RETURN
iptables -A PRE-TOKEN2CHAIN -p tcp --dport $TOKEN1 -m recent --name TOKEN1B --remove -j RETURN
iptables -A PRE-TOKEN2CHAIN -m recent --name TOKEN1A --remove
iptables -A PRE-TOKEN2CHAIN -j LOG --log-prefix "VIOLATION AFTER TOKEN1: "
iptables -N TOKEN2CHAIN
iptables -A TOKEN2CHAIN -m recent --name TOKEN1A --remove
iptables -A TOKEN2CHAIN -m recent --name TOKEN2A --set
iptables -A TOKEN2CHAIN -m recent --name TOKEN2B --set
iptables -A TOKEN2CHAIN -j LOG --log-prefix "TOKEN2 Received: "
iptables -N PRE-TOKEN3CHAIN
iptables -A PRE-TOKEN3CHAIN -p tcp --dport $TOKEN3 -m recent --rcheck --name TOKEN2A -j RETURN
iptables -A PRE-TOKEN3CHAIN -p tcp --dport $TOKEN2 -m recent --name TOKEN2B --remove -j RETURN
iptables -A PRE-TOKEN3CHAIN -m recent --name TOKEN2A --remove
iptables -A PRE-TOKEN3CHAIN -j LOG --log-prefix "VIOLATION ATFER TOKEN2: "
iptables -N TOKEN3CHAIN
iptables -A TOKEN3CHAIN -m recent --name TOKEN2A --remove
iptables -A TOKEN3CHAIN -m recent --name TOKEN3A --set
iptables -A TOKEN3CHAIN -m recent --name TOKEN3B --set
iptables -A TOKEN3CHAIN -j LOG --log-prefix "TOKEN3 Received: "
iptables -N PRE-TOKEN4CHAIN
iptables -A PRE-TOKEN4CHAIN -p tcp --dport $TOKEN4 -m recent --rcheck --name TOKEN3A -j RETURN
iptables -A PRE-TOKEN4CHAIN -p tcp --dport $TOKEN3 -m recent --name TOKEN3B --remove -j RETURN
iptables -A PRE-TOKEN4CHAIN -m recent --name TOKEN3A --remove
iptables -A PRE-TOKEN4CHAIN -j LOG --log-prefix "VIOLATION AFTER TOKEN3: "
iptables -N TOKEN4CHAIN
iptables -A TOKEN4CHAIN -m recent --name TOKEN3A --remove
iptables -A TOKEN4CHAIN -m recent --name TOKEN4A --set
iptables -A TOKEN4CHAIN -m recent --name TOKEN4B --set
iptables -A TOKEN4CHAIN -m recent --name TOKEN4C --set
iptables -A TOKEN4CHAIN -j LOG --log-prefix "TOKEN4 Received: "
iptables -N PRE-OPENPORT
iptables -A PRE-OPENPORT -p tcp --dport $OPENPORT -m recent --rcheck --name TOKEN4C -j LOG --log-prefix "TOKEN OK: "
iptables -A PRE-OPENPORT -p tcp --dport $OPENPORT -m recent --name TOKEN4C --remove
iptables -A PRE-OPENPORT -p tcp --dport $OPENPORT -m recent --rcheck --name TOKEN4A -j RETURN
iptables -A PRE-OPENPORT -p tcp --dport $TOKEN4 -m recent --name TOKEN4B --remove -j RETURN
iptables -A PRE-OPENPORT -m recent --name TOKEN4A --remove
iptables -A PRE-OPENPORT -j LOG --log-prefix "VIOLATION AFTER TOKEN4: "
iptables -A INPUT -p tcp --dport $TOKEN1 -m recent --set --name TOKEN1A -j TOKEN1CHAIN
iptables -A INPUT -m recent --rcheck --name TOKEN1A -j PRE-TOKEN2CHAIN
iptables -A INPUT -p tcp --dport $TOKEN2 -m recent --rcheck --name TOKEN1A -j TOKEN2CHAIN
iptables -A INPUT -m recent --rcheck --name TOKEN2A -j PRE-TOKEN3CHAIN
iptables -A INPUT -p tcp --dport $TOKEN3 -m recent --rcheck --name TOKEN2A -j TOKEN3CHAIN
iptables -A INPUT -m recent --rcheck --name TOKEN3A -j PRE-TOKEN4CHAIN
iptables -A INPUT -p tcp --dport $TOKEN4 -m recent --rcheck --name TOKEN3A -j TOKEN4CHAIN
iptables -A INPUT -m recent --rcheck --name TOKEN4A -j PRE-OPENPORT
iptables -A INPUT -p tcp --dport $OPENPORT -m recent --rcheck --seconds $OPENTIMER --name TOKEN4A -j ACCEPT

###################################################
#
# End Port Knocking Configuration
#
###################################################

Change the Token number from 10, 20, 30, 40 to any other numbers you want up to 1024. Think of this combination of numbers as your access code, because it is. This is the combination of numbers you will feed to your firewall to let you in, so remember them.

The other things you need to change before you restart your firewall are here:

  1. Edit /etc/sysconfig/SuSEfirewall2 and change FW_CUSTOMRULES="" to FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom", and FW_DEV_EXT="any eth-id-xx:xx:xx:xx:xx:xx" to FW_DEV_EXT="eth0" or FW_DEV_EXT="eth1" (Use the correct name for your external interface, remembering the setting from YaST2.)
  2. Restart the firewall service by issuing the following commands from a terminal as root:
    SuSEfirewall2 stop
    SuSEfirewall2 start
    

Bam: totally secure firewall that will let you through. How do you use it? Well, use differs depending on if you're trying to connect from a Linux box or from a Windows box, but the concept is the same. We can demonstrate the use from the aspect of a Windows machine, since that is the slightly more complicated setup.

Sitemap | Contact Us