This document describes a stealth method to externally open ports that, by default, are kept closed by the firewall.
Server side
1. Install knockd
apt-get install knockd
2. Configure knockd
vim /etc/knockd.conf
[options]
UseSyslog
[OpenClosePort]
sequence = 2123:udp,3543:tcp,6454:udp
seq_timeout = 5
Start_Command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport PORT -j ACCEPT
tcpflags = syn
Cmd_timeout = 3600
Stop_Command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport PORT -j ACCEPT
:wq
Notes:
- sequence - the sequence required to open desired port
- seq_timeout - time to wait for a sequence to complete
- Start_Command - command to be executed when a client makes the correct port-knock
- Stop_Command - command to be executed when Cmd_Timeout seconds have passed since Start_Command has been executed
- Cmd_Timeout - time to wait between Start_Command and Stop_Command in seconds
- PORT - port to be opened
3. Enable knockd
vim /etc/default/knockd
:%s/START_KNOCKD=0/START_KNOCKD=1/g
:%s/#KNOCKD_OPTS="-i eth1"/KNOCKD_OPTS="-i eth0"/g
:wq
4. Start knockd
/etc/init.d/knockd restart
Client side
1. Knock the port
nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 2123 host; nmap -Pn --host_timeout 201 --max-retries 0 -p 3543 host; nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 6454 host
2. Check if the port is open
telnet host PORT