Enable Firewall and remove those services which you want to knock, from the list of “Trusted Services”.
Here we take the example of SSH service which normally runs on port 22, unless configured.
Close all access to SSH port:
# iptables -A INPUT -s 0/0 -d [server ip] -p tcp — -dport 22 -j REJECT
Install “knock” package and edit knockd.conf:
# vi /etc/knockd.conf
[options]
Logfile = /var/log/knockd.log
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
tcpflags = syn
command = /sbin/iptables -I INPUT -s [client ip] -p tcp — -dport 22 -j ACCEPT
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
tcpflags = syn
command = /sbin/iptables -D INPUT -s [client ip] -p tcp — -dport 22 -j ACCEPT
Start knockd daemon:
# /usr/sbin/knockd –d
———-Client side:———-
Install knock package and type:
# knock -v [server ip] [open sequence]
Now you can SSH the system:
# ssh [server ip]
To close the port, send the closing sequence.
You can save the iptables settings by running:
# iptables-save