Port knock with more ports

Jeroen1000 · December 4, 2011, 10:12pm

How would one go about this?

I’m basing myself on this example I have found in the wiki:

add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list  address-list=knock \
address-list-timeout=15s comment="" disabled=no 
add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list \
address-list=safe  address-list-timeout=15m comment="" disabled=no

So I need to transform this so that my IP is not added to the safe list before multiple ports have been knocked. Unfortunately, I can’t afford to lock myself out of the router just now. So can I achieve this by changing the top rule to:

add chain=input protocol=tcp dst-port=1337,18001,3000 action=add-src-to-address-list  address-list=knock \
address-list-timeout=15s comment="" disabled=no

If the above is correct, can it also be altered to allow UDP as a protocol?

Much obliged,
Jeroen

fewi · December 4, 2011, 10:30pm

That is not correct. To add additional steps you need to use multiple address lists. The first rule adds to a list called knock1, the second rule (second port) adds to a list called knock2 but only allows people on knock1, the third rule (third port) adds to a list called knock3 but only allows people on knock2 (and to get there you would have had to complete the sequence before), and so on until eventually you add a to a list that is allowed to access the real target ports. Yes, you can use UDP.

Search the 2010 US MUM presentations for on by Steve Discher on this topic, it explains the concept in detail and is - I believe - multi step.

Jeroen1000 · December 5, 2011, 10:23am

Thanks for the heads up Fewi.

I was afraid of that, it does get a lot messier this way but nevertheless still doable. I was hoping on a secret “AND” operator which would have allowed specifying multiple ports like in my faulty rule. .