knockd.
© 2009 Jan Zulawski
<fdd@altair.pw>
## (to) knock; knockd. however, that `d' comes from *daemon*.
% echo -e 'e.g.,\n'
% iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- foo.bar.qux.def 0.0.0.0/0 tcp dpt:22 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
% cat /etc/knockd.conf [openSSH] sequence = foobar,def,plugh,fred,xyzzy,thud seq_timeout = 5 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
[closeSSH] sequence = thud,def,fred,foobar,xyzzy,plugh seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
% knock -v foo.bar.qux.quux foobar def plugh fred xyzzy thud
% echo 'however, knocks can be sent via netcat, hping, packit, etc.'
% echo 'open_port command executed @foo.bar.qux.def.' % echo 'do sleep 16; while job_done; done...'
% knock -v foo.bar.qux.quux thud def fred foobar xyzzy plugh
% echo 'close_port command now executed @specific.host. all set. w00t!'
n.b.:
#01. {def,foobar,fred,plugh,thud,xyzzy} == (tcp || udp) ports.
#02. use as many as you want... anyway, 3 should be just fine (read as `secure').
. ..:
-- Feb 18, 2009. ⌘
tonight
black celebration
tonight