LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-10-2014, 01:39 PM   #1
cerien
LQ Newbie
 
Registered: Jan 2012
Posts: 14

Rep: Reputation: Disabled
Port Forwarding / Triggering / Knocking with iptables / debian


Hello

I am using a debian wheezy with iptables.

I'd like to have either:

- port triggering / knocking (if I understood correctly). Ie, I try to access a given port from an IP, and this request will open for this IP another port for a given time. I couldnt find anything about this on iptables

or

- port forwarding: I've found the classic
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8010 -j REDIRECT --to-ports 80
which will redirect port 8010 to 80, but I'd like that port 80 remains prohibited for everybody (or at least, any external IP) - the idea is to hide the port from scanners (I have other security after that, I know hiding is not enough)

How could I achieve this ?

Thks for the help

J

Last edited by cerien; 01-10-2014 at 01:48 PM.
 
Old 01-10-2014, 03:42 PM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 26,190

Rep: Reputation: 6087Reputation: 6087Reputation: 6087Reputation: 6087Reputation: 6087Reputation: 6087Reputation: 6087Reputation: 6087Reputation: 6087Reputation: 6087Reputation: 6087
Port knocking includes more then just iptables. In a nutshell a server runs that monitors traffic on the desired knocking ports. When it matches then the desired service ports are opened via iptables.

http://www.cyberciti.biz/faq/debian-...king-tutorial/

A more secure version of port knocking is called Single Packet Authorization.

http://www.linuxjournal.com/article/9565
https://help.ubuntu.com/community/Si...tAuthorization
 
Old 01-13-2014, 07:30 AM   #3
cerien
LQ Newbie
 
Registered: Jan 2012
Posts: 14

Original Poster
Rep: Reputation: Disabled
Many thanks, these links are excellent.

Would you have any suggestions regarding my second question - how to block a given port when it comes straight from the outside, but not when it has been pre-procesed and redirected ?


Rgds
 
Old 01-13-2014, 07:58 AM   #4
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
One can do port knocking solely in iptables with the -m recent module
Quote:
iptables -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -i eth0 -p tcp --dport 900 -m recent -name first -set -j DROP
iptables -i eth0 -p tcp --dport 1000 -m recent -name second -set -j DROP
iptable -i eth0 -p tcp --dport 22 -m recent -name first -rcheck --second 2 -hitcount 1 -j second
iptables -i eth0 -p tcp --dport 22 -m recent -name second -rcheck --second 2 -hitcount 1 -j ACCEPT
or something like that.

There are other nice things where you can search the conent of a package and then add ips to a recent list.

The second one can also be done with the recent thing. Just only allow ips within a set and block the others. Or take a look at -m set this is a bit more powerfull than recent but on debian wasn't included in default kernel of squeeze at least.
 
Old 01-13-2014, 04:19 PM   #5
cerien
LQ Newbie
 
Registered: Jan 2012
Posts: 14

Original Poster
Rep: Reputation: Disabled
thanks - I've installed simple port knocking ,and it works as expected,


many thanks for the help

J.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPtables : ssh port forwarding one port to another port issue routers Linux - Networking 7 08-07-2018 08:41 AM
Writing the iptables port triggering rule.. vlrk Linux - Server 1 03-05-2013 12:16 PM
how to port triggering using iptables dhavalshah9898 Linux - Laptop and Netbook 2 04-26-2010 11:53 PM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
port triggering with iptables? injun Linux - Networking 2 08-29-2004 12:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration