Port

fpascual · March 21, 2007, 12:23am

Where can I define other ports than /ip service ?, Im trying to configure port knocking in port 48220 but cant define them.

Thanks.

JJCinAZ · March 21, 2007, 5:56am

The /ip service items are really control of daemons on the router to provide services, like the web interface or the ftp server. You really want to use a firewall rule (or rules) with a specific port and action ‘add src address to list’ to allow in the knocking user.

janisk · March 21, 2007, 10:38am

indeed, /ip firewall filter is your answer and just use action - add src to list

fpascual · March 24, 2007, 6:44am

Yes, I tried to use /ip firewall filter with a different ports but doesn`t work.
Can you paste me an example please ?.

Thanks a lot.

JJCinAZ · March 24, 2007, 2:54pm

You need to have a cascade of rules for example:

UDP port 2021 → add src to list A
UDP port 2022 and src is on list A → add src to list B
UDP port 2023 and src is on list B → add src to list ALlowed

fpascual · April 4, 2007, 6:28pm

Yes, but I want to do a port knocking only one port.

UDP port 2021 → add src to list A
Permit List A for 15 minutes

Then, I must use telnet to this port ?? (like “telnet 192.168.1.1 2021”)

In this momento I use port knocking but with http port …

Thanks !.

JJCinAZ · April 5, 2007, 7:09pm

It would be more like:

UDP port 2021 → add src to list A with 15 min timeout
Permit list A

fpascual · April 5, 2007, 7:50pm

Take a look please:

19 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa dst-port=2021 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=15m

20 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept

21 ;;; Logueo Resto Intentos SSH
chain=input protocol=tcp dst-port=22 action=log log-prefix=“ssh_denegado”

22 ;;; Dropeo Resto SSH
chain=input protocol=tcp dst-port=22 action=drop

Then, from remote computer I put:

c:\telnet my_router 2021

… and the rule does´t match, the remote IP doesnt appear in ssh_ok list. \ \ What Im doing wrong ?.

Thanks !

JJCinAZ · April 5, 2007, 8:28pm

It would be more like:

UDP port 2021 → add src to list A with 15 min timeout
Permit list A

JJCinAZ · April 6, 2007, 8:37pm

You need a protocol specification. The rule cannot look into the IP packet to get a port until it knows if it’s a TCP, UDP, etc. Try the following:

19 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa protocol=tcp dst-port=2021 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=15m

fpascual · April 7, 2007, 11:40am

JJCinAZ, doesn`t work …

skillful · April 7, 2007, 2:03pm

Try this rule:

/ip firewall filter
add chain=input in-interface=externa protocol=udp dst-port=2021 action=add-src-to-address-list address-list=ssh_ok
comment=“Permito SSH - Port Knocking SSH - Interface Externa” address-list-timeout=15m

20 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept

Make sure to place this rule above any rule that block inputs to the router.

fpascual · April 7, 2007, 2:19pm

No skill ...

Take a look of my firewall rules:

[admin@mk] ip firewall filter> print input
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Permito SSH desde la LAN
chain=input in-interface=interna src-address=192.168.1.0/24 protocol=tcp dst-port=22 action=accept

1 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa protocol=udp dst-port=2031 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=5m

2 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept

3 ;;; Logueo Resto Intentos SSH
chain=input protocol=tcp dst-port=22 action=log log-prefix="ssh_denegado"

4 ;;; Dropeo Resto SSH
chain=input protocol=tcp dst-port=22 action=drop

Then, from a remote computer:

C:\Documents and Settings>telnet my_mk 2031
Connecting To my_mk...Could not open connection to the host, on port 2031: Connect failed

And nothing happend:

ip firewall address-list> print
Flags: X - disabled, D - dynamic

LIST ADDRESS

Thanks a lot.

tneumann · April 7, 2007, 2:44pm

fpascual,

you defined the ‘knocking’ to port 2031 with UDP, but telnet uses TCP, hence you can not use a telnet to port 2031 to do the knocking…

You’d need a special tool that sends a UDP packet to port 2031, or change the knocking rule to use TCP, then you can use telnet just like you did.

–Tom

skillful · April 7, 2007, 2:50pm

Then, from a remote computer:

C:\Documents and Settings>telnet my_mk 2031
Connecting To my_mk…Could not open connection to the host, on port 2031: Connect failed

And nothing happend:

This command will telnet to “my_mk” on TCP port 2031 whereas, the router is listening on UDP port 2031. So, the source IP will not be added to “ssh-ok”. You must knock on UDP port 2031 for this to work. Alternatively, change the protocol to TCP in your rule 1, then the telnet command will work.

skillful · April 7, 2007, 2:54pm

tneumann took the words out of my mind

fpascual · April 7, 2007, 3:22pm

Yes, before I try with TCP and doesn`t work.
Is correct use “telnet mk_ip port” to activate knocking ???, I think this is my problem.

Thanks to all.