I am looking to hide some open ports from a port scanner. I would like to make the ports only visible to select ip address. Here is my goal.
any scans done from an ip address not in a list will show all ports as closed or filtered.
if scanned from an approved list show as open. (however if its still shown as closed but is really accessable that is okay too)
I understand there is some port knocking features that can be used as well but i dont really understand how that is configured or how to make a complex knock. I would presume that the company hired to do the scanning would ping the address first to make sure its up before running port scans kind of making that option worthless unless there is away to do specific pings in a certain order that will open ports at that time.
thanks again for any information or suggestions on how to hide these open ports.
If you are talking about access to ports on the router itself then use filters in the input chain. Add rules with the relevant source IPs / target ports (use an address-list if easier) and action=accept. Then have a rule below those which drops the traffic from any other sources.
What you are describing sounds like standard firewall functionality.
I am not speaking in regards to the router its self. I am talking in regards to devices behind it. maybe this will help better explain
I have COMPUTER1 behind the RB2011. It has port 22 for ssh
if i scan COMPUTER1 from SOURCE-A I want COMPUTER1 to show the port scan as port 22 is closed/filtered
if i scan COMPUTER1 from SOURCE-B I want COMPUTER1 to show either open port or closed/filtered but still accept the connection.
If this is done with simple firewall rules then I downgrade myself from amature network tech to newb network tech. which i am not denying. I am just trying to get a clear idea on how i can achieve the goal mentioned aboved. I have a location that will be scaned for compliance and the ports need to show as closed. yet from a remote location else i still need to be able to get into those systmes to support them.
I do want to thank you for youre reply as well any info from anyone that can help me get this sorted or point me in the right direction is very welcomed and appreciated.
For traffic through the router you would place the filters in the forward chain. If you are using NAT then the filters would reflect the NATed destination address.
Paths which are open (from a particular address) will be seen as open when scanned from that address but will be seen as closed from other addresses.
Thanks for the info. Ive been swampped Ill be sure to try that and see what i can do. it will most likely be a nat rule. i would presume all the inbound address rules would go first and then the reject rules afterwards.
DST NAT rules typically have a corresponding forward chain rule to allow the traffic to the DST NATed address/port, assuming that there is a “drop all” rule further down the forward chain.