I set up port knocking using first this method using knockd and then I tried using this method using only iptables directly but when both failed I thought I'd check a bit deeper into the problem.
Correct me if I'm wrong but it seems that though I am knocking from the same IP, the "from" ip seems to be using a different port each time and it looks like the iptables matching takes the from port into account?
To visualise this, let x be the ip address I'm knocking from (the client) and y be the ip address I am trying to access (the server) If my knock pattern is y:123, y:124, y:125 it should unlock a channel for x but it doesn't work.
Checking my router's logs, is does say that x is hitting the correct rules to knock y but each knock seems to come from a random port so x:456 knocks y:123, then x:357 knocks y:124 and finally x:532 knocks y:125 and though the sequence is complete, 22 stays locked.
Without knowing any other way to check, I assume it's the change port on x that causes the problem which leads me to my question: Is there a way to get iptables to ignore the port when matching a source address (or am I misreading the problem and there's something else I can check?)
If it helps, my first match check is as follows:
-A GATE1 -p tcp -m tcp --dport 123 -m recent --set --name AUTH1 --mask 255.255.255.255 --rsource -j DROP
or to be even more specific, the commands to config iptables were as follows (assuming the 123-125 ports to knock):
sudo iptables -N GATE1
sudo iptables -N GATE2
sudo iptables -N GATE3
sudo iptables -N KNOCKING
sudo iptables -N PASSED
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -j KNOCKING
sudo iptables -A GATE1 -p tcp -m tcp --dport 123 -m recent --set --name AUTH1 --mask 255.255.255.255 --sudo iptables rsource -j DROP
sudo iptables -A GATE1 -j DROP
sudo iptables -A GATE2 -m recent --remove --name AUTH1 --mask 255.255.255.255 --rsource
sudo iptables -A GATE2 -p tcp -m tcp --dport 124 -m recent --set --name AUTH2 --mask 255.255.255.255 --sudo iptables rsource -j DROP
sudo iptables -A GATE2 -j GATE1
sudo iptables -A GATE3 -m recent --remove --name AUTH2 --mask 255.255.255.255 --rsource
sudo iptables -A GATE3 -p tcp -m tcp --dport 125 -m recent --set --name AUTH3 --mask 255.255.255.255 --sudo iptables rsource -j DROP
sudo iptables -A GATE3 -j GATE1
sudo iptables -A KNOCKING -m recent --rcheck --seconds 30 --name AUTH3 --mask 255.255.255.255 --rsource -j sudo iptables PASSED
sudo iptables -A KNOCKING -m recent --rcheck --seconds 10 --name AUTH2 --mask 255.255.255.255 --rsource -j sudo iptables GATE3
sudo iptables -A KNOCKING -m recent --rcheck --seconds 10 --name AUTH1 --mask 255.255.255.255 --rsource -j sudo iptables GATE2
sudo iptables -A KNOCKING -j GATE1
sudo iptables -A PASSED -m recent --remove --name AUTH3 --mask 255.255.255.255 --rsource
sudo iptables -A PASSED -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A PASSED -j GATE1
Of course you'd never use these specific ports, but not gonna put my real ports online, regardless of the lack of server detail :)
