Portknock scripting

Squire · December 15, 2017, 3:27pm

Good day,
So I want to run a script that almost listens(?) for a port knock on the log (yet to be added, if possible)
But I’m having problems getting my find comment then remove to work whats wrong with my script?

:local "address-list" "Knocked-LO"
:local "address-list" "Kick-lo"

:local "Kick-lo" [ /ip  firewall get [/ip firewall address-list find list="Knocked-LO"]]

:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
 [/ip firewall address-list remove [/ip  firewall address-list find list="Knocked-LO"]]
} else={
:log warning "no ones there"
}
:log warning "kicked all current added IPS"

Thanks

Squire · December 18, 2017, 7:52am

So I’ve got it working however,
how do i get it do nothing when it cant find “kick-lo” ?

:local "address-list" "Knocked-LO"
:local "address-list" "Kick-lo"

:if ( 

:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
 [/ip firewall address-list remove [/ip  firewall address-list find list="Knocked-LO"]]
} else={
:log warning "no ones there"
}

:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
 [/ip firewall address-list remove [/ip  firewall address-list find list="Kick-lo"]]
:log warning "kicked all current added IPS"
}

kw12157 · December 27, 2017, 11:10pm

Why do you want to almost listen for a port knock?

I have implemented port knocking successfully and love it!

It is all done in the firewall rules, no scripts…

sebastia · December 31, 2017, 2:36pm

Would you care to share the details so others could benefit/learn?

kw12157 · January 13, 2018, 4:36pm

I require 3 knocks to access the router.
Example:
knock1 = 20000
knock2 = 30000
knock4 = 10000
Most port scanners scan from 1 to 65535. That is why I require 2 knocks going up and then 1 knock below them, all within 3 seconds.

This requires 3 Firewall Filter Rules:

add action=add-src-to-address-list address-list=Knock1 address-list-timeout=3s
chain=input comment=Knock1 dst-port=30000 protocol=tcp
add action=add-src-to-address-list address-list=Knock2 address-list-timeout=3s
chain=input comment=Knock2 dst-port=50000 protocol=tcp src-address-list=
Knock1
add action=add-src-to-address-list address-list=Safe address-list-timeout=12h
chain=input comment=“Add to Safe” dst-port=10000 protocol=tcp
src-address-list=Knock2

Then on your Firewall NAT rules that you want to deny access except after a successful knocking you add src-address-list=safe
Example:
add action=dst-nat chain=dstnat comment=“RDP in to .200 with Knock” dst-port=
3389 in-interface=ether1-WAN protocol=tcp src-address-list=Safe
to-addresses=192.168.1.200 to-ports=3389

I hope this helps!
Kevin

sebastia · January 14, 2018, 12:22am

thx for sharing!

Squire · April 22, 2018, 12:33pm

whoops think i gave up on this and forgot i started this thread, anyway

What I want to do is when I port knock, say its called (kick-on-knock) on different ports eg, 1234, when that port has been knocked it want it run a script that deletes any existing established connections with name “Knocked-LO” on the address list then it will expire after say 1 or 2 seconds (1234)