I’ve successfully set up port knocking to access my network from remote (to be used in conjunction with an encrypted tunnel). Now I’m trying to close access through another knock and I’m running into a problem.
When I knock open a port, the source IP is stored in the ‘secure’ address list. But when I try to close the port using the same method and from the same remote device, the address stored is the router’s IP address, not the source IP address. As a result, the source IP remains unchanged in the address list, and another address is added to the list.
Why is the router’s IP address used for the closing knock when the source IP address is used for the open knock?
# Rules to add port-knocked address to secure address list...
add action=add-src-to-address-list address-list=knockport1 address-list-timeout=3s chain=input comment="Port knock 1" dst-port=<####> protocol=tcp
add action=add-src-to-address-list address-list=knockport2 address-list-timeout=3s chain=input comment="Port knock 2" dst-port=<####> protocol=udp src-address-list=knockport1
add action=add-src-to-address-list address-list=secure address-list-timeout=5m chain=input comment="Port knock 3 - Add address to secure list" dst-port=<####> log=yes log-prefix="Knocked port open" protocol=tcp src-address-list=knockport2
# Rule to remove port-knocked address from secure address list. Sets secure address list to expire in 1 second...
add action=add-dst-to-address-list address-list=secure address-list-timeout=1s chain=input comment="Close open knocked port on request.dst-port=<####> protocol=tcp
Because in the rule supposed to shorten the lifetime of the address list row, you’ve put action=add-dst-to-address-list instead of the correct action=add-src-to-address-list.
Problem is, this shortening doesn’t work. I was excited (and slightly ashamed that I didn’t try it before myself) to learn something new I missed. But no. It increases timeout for existing record when it’s lower than timeout set in rule. But it doesn’t decrease it when it’s higher.
After correcting the error, I found this is basically true for me as well. If I do an opening knock, it does increase, but if I do a closing knock, the timeout doesn’t change.
The workaround is to add the source address to yet another address list and place a drop rule referring to it before your current accept rule referring to the secure list.
I was thinking of doing that, but if I want to open knock again shortly after I close knock, I’d have to wait until the second address list timed out. Not a major problem.
First add close knocked address to closesecure address list. I’m giving it a timeout at least as long as the secure address list in case the script fails…
add action=add-src-to-address-list address-list=closesecure \
address-list-timeout=5m chain=input comment="Close open knocked port on re\
quest. This blocks the source IP until a timer can remove the closesecure \
and secure address lists." dst-port=<####> protocol=tcp src-address-list=\
secure
Drop all traffic from the closesecure address list until the script can handle it…
add action=drop chain=forward comment="Drop traffic from closesecure addresses" src-address-list=closesecure
And run the following script on a schedule every x seconds (I’m using 10). If there is a closesecure address, then it deletes that address from both the secure and closesecure address lists…
It’s nothing against you, desperate people do desperate things, I’m just saying that RouterOS should have better solution for this.