I am using Port Knocking to allow a source IP address to make a secure connection to my Mikrotik router via IPSEC IKEv2. In this way the addresslist filters the packets going through UDP port 500 and 4500 so that there are no unexpected tries on those two ports.
I have the following in my Firewall filter:
/ip firewall filter
add action=add-src-to-address-list address-list=port_knock address-list-timeout=1s chain=input comment=Knocking dst-port=1234 protocol=tcp src-address-list=""
add action=add-src-to-address-list address-list=port_knock_1 address-list-timeout=1s chain=input dst-port=2341 protocol=tcp src-address-list=port_knock
add action=add-src-to-address-list address-list=port_knock_2 address-list-timeout=1s chain=input dst-port=3412 protocol=tcp src-address-list=port_knock_1
add action=add-src-to-address-list address-list=servicename address-list-timeout=1h5m chain=input dst-port=4123 protocol=tcp src-address-list=ipsec-ikev2
add action=add-src-to-address-list address-list=servicename address-list-timeout=2h5m chain=input dst-port=1234 protocol=tcp src-address-list=ipsec-ikev2
add action=add-src-to-address-list address-list=servicename address-list-timeout=4h5m chain=input dst-port=2341 protocol=tcp src-address-list=ipsec-ikev2
add action=add-src-to-address-list address-list=servicename chain=input dst-port=3412 protocol=tcp src-address-list=killAddresslist
If the port nocks are in the correct order then the last knock determines the set duration of opening of that for that source address.
Now I wanted to be able to lock the port down again when I am ready earlier than the expected time. I can extend the time but not make it shorter so I had to do a bit of scripting myself. This is my second script and I could be optimized a bit because I don’t know all works yet. I have copied the remove address part from the Blacklist script and changed it so that it removes the line with the source address in it. I can only remove on address in one go and that is what I need.
So if someone feels to adapt it so that more than one address line can be removed than that is appreciated.
So after I am ready I have to end secure connection otherwise my remote local address is put in the killAddresslist and not my public source address. I tick the knocking sequence for removing my source address from the list “ipsec-ikev2” and the it will placed in the killAddresslist.
Now I can schedule the script to run every few minutes checking if an address is present in the list. If there is a address present then it goes trough the ipsec-ikv2 list and when a match is found then that address line is removed and automagically it is also removed on the killAddreslist…that part I don’t understand yet.
Netwatch can also be used to detect if the remote local address went down after a ending the secure connection but then there is no entry in the killAddresslist. But that I can do when the source address is added to ipsec-ikev2 list.
The script is:
add name=killAdressInList owner=admin policy=read,write,policy,test source=" \
:local killAddress [/ip firewall address-list get [find list=killAddresslist] value-name=address];
:log info "Searching to delete address $killAddress in the ipsec-ikev2 addresslist";
:foreach i in=[/ip firewall address-list find ] do={ :if ( [/ip firewall address-list get $i list] \
= "ipsec-ikev2" :and [/ip firewall address-list get $i address] = $killAddress) do={ /ip firewall address-list remove $i } };
Have fun with it.
update: I have now edited the remove line and I can’t test it now so it is for now on your own risk:
:foreach i in=[/ip firewall address-list find where ipsec-ikev2] do={ :if ( [/ip firewall address-list get $i address] = $killAddress) do={ /ip firewall address-list remove $i } };
