Enable Firewall and remove those services which you want to knock, from the list of “Trusted Services”.

Here we take the example of SSH service which normally runs on port 22, unless configured.

Close all access to SSH port:

#  iptables   -A   INPUT   -s  0/0   -d   [server ip]   -p  tcp   — -dport  22   -j   REJECT

Install “knock” package and edit knockd.conf:

#  vi  /etc/knockd.conf

[options]

  Logfile  =  /var/log/knockd.log

[openSSH]

        sequence        =   7000,8000,9000

        seq_timeout =    5

        tcpflags          =    syn

        command      =   /sbin/iptables  -I  INPUT  -s  [client ip]   -p  tcp  — -dport  22   -j ACCEPT

[closeSSH]

        sequence         =   9000,8000,7000

        seq_timeout  =   5

        tcpflags            =   syn

        command        =   /sbin/iptables  -D  INPUT  -s  [client ip]   -p  tcp  — -dport  22   -j ACCEPT

Start knockd daemon:

#   /usr/sbin/knockd   –d  

———-Client side:———-

Install knock package and type:

#   knock   -v   [server ip]   [open sequence]

Now you can SSH the system:

#    ssh  [server ip]

To close the port, send the closing sequence.

You can save the iptables settings by running:

#  iptables-save

Advertisements