Community discussions

MikroTik App
 
User avatar
Squire
just joined
Topic Author
Posts: 22
Joined: Fri Dec 15, 2017 3:04 pm

Portknock scripting

Fri Dec 15, 2017 5:27 pm

Good day,
So I want to run a script that almost listens(?) for a port knock on the log (yet to be added, if possible)
But I'm having problems getting my find comment then remove to work whats wrong with my script?
:local "address-list" "Knocked-LO"
:local "address-list" "Kick-lo"

:local "Kick-lo" [ /ip  firewall get [/ip firewall address-list find list="Knocked-LO"]]

:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
 [/ip firewall address-list remove [/ip  firewall address-list find list="Knocked-LO"]]
} else={
:log warning "no ones there"
}
:log warning "kicked all current added IPS"
Thanks
 
User avatar
Squire
just joined
Topic Author
Posts: 22
Joined: Fri Dec 15, 2017 3:04 pm

Re: Portknock scripting

Mon Dec 18, 2017 9:52 am

So I've got it working however,
how do i get it do nothing when it cant find "kick-lo" ?
:local "address-list" "Knocked-LO"
:local "address-list" "Kick-lo"

:if ( 

:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
 [/ip firewall address-list remove [/ip  firewall address-list find list="Knocked-LO"]]
} else={
:log warning "no ones there"
}

:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
 [/ip firewall address-list remove [/ip  firewall address-list find list="Kick-lo"]]
:log warning "kicked all current added IPS"
}



 
kw12157
just joined
Posts: 6
Joined: Sun Dec 24, 2017 10:05 pm

Re: Portknock scripting

Thu Dec 28, 2017 1:10 am

Why do you want to almost listen for a port knock?

I have implemented port knocking successfully and love it!

It is all done in the firewall rules, no scripts...
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Portknock scripting

Sun Dec 31, 2017 4:36 pm

Why do you want to almost listen for a port knock?

I have implemented port knocking successfully and love it!

It is all done in the firewall rules, no scripts...
Would you care to share the details so others could benefit/learn?
 
kw12157
just joined
Posts: 6
Joined: Sun Dec 24, 2017 10:05 pm

Re: Portknock scripting

Sat Jan 13, 2018 6:36 pm

I require 3 knocks to access the router.
Example:
knock1 = 20000
knock2 = 30000
knock4 = 10000
Most port scanners scan from 1 to 65535. That is why I require 2 knocks going up and then 1 knock below them, all within 3 seconds.

This requires 3 Firewall Filter Rules:
1. add action=add-src-to-address-list address-list=Knock1 address-list-timeout=3s \
chain=input comment=Knock1 dst-port=30000 protocol=tcp
2. add action=add-src-to-address-list address-list=Knock2 address-list-timeout=3s \
chain=input comment=Knock2 dst-port=50000 protocol=tcp src-address-list=\
Knock1
3. add action=add-src-to-address-list address-list=Safe address-list-timeout=12h \
chain=input comment="Add to Safe" dst-port=10000 protocol=tcp \
src-address-list=Knock2

Then on your Firewall NAT rules that you want to deny access except after a successful knocking you add src-address-list=safe
Example:
add action=dst-nat chain=dstnat comment="RDP in to .200 with Knock" dst-port=\
3389 in-interface=ether1-WAN protocol=tcp src-address-list=Safe \
to-addresses=192.168.1.200 to-ports=3389

I hope this helps!
Kevin
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Portknock scripting

Sun Jan 14, 2018 2:22 am

thx for sharing!
 
User avatar
Squire
just joined
Topic Author
Posts: 22
Joined: Fri Dec 15, 2017 3:04 pm

Re: Portknock scripting

Sun Apr 22, 2018 3:33 pm

Why do you want to almost listen for a port knock?

I have implemented port knocking successfully and love it!

It is all done in the firewall rules, no scripts...
whoops think i gave up on this and forgot i started this thread, anyway

What I want to do is when I port knock, say its called (kick-on-knock) on different ports eg, 1234, when that port has been knocked it want it run a script that deletes any existing established connections with name "Knocked-LO" on the address list then it will expire after say 1 or 2 seconds (1234)

Who is online

Users browsing this forum: Bing [Bot] and 28 guests