Community discussions

 
SA0BJW
just joined
Topic Author
Posts: 18
Joined: Sun Jul 07, 2013 12:51 am

Portknocking by script.

Thu Oct 06, 2016 9:48 pm

Hi!

I have a mAP Lite router. Nice little thing! I want it to automagically connect to my (Mikrotik!! ) router and establish a VPN tunnel after booting the mAP Lite. But I want to conduct a port knocking sequence to first open up firewall rules for VPN connection before setting up the VPN tunnel.

Is it possible by scripting in routerOS to make a port knock sequence?

/SA0BJW
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: Portknocking by script.

Thu Oct 06, 2016 10:05 pm

On the router side, you make a set of rules that add matching SRC address to a list:
e.g.:
chain=input protocol=tcp dst-port=9999 action=add-src-to-address-list list=phase1 timeout=2sec
chain=input protocol=tcp dst-port=12345 src-address-list=phase1 action=add-src-to-address-list list=phase2 timeout=2sec
etc...
where the last one adds the src to the list with a longer timeout period, like 5 minutes or something, during which the successful src IP may create new connections to the router.
I have an accept all established,related rule which will keep the connections open even after the knock expires. If I need to open a new connection after that, I must knock again.

As for the mikrotik being the source - I'm not sure if you can generate arbitrary packets on arbitrary ports with ROS (but I could be wrong - it has quite a nice tool set)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
SA0BJW
just joined
Topic Author
Posts: 18
Joined: Sun Jul 07, 2013 12:51 am

Re: Portknocking by script.

Thu Oct 06, 2016 10:14 pm

Thanks for your answer.

I have already the portknocking up´n running on the receiving router, it works nicely! Would be very nice if the router could act as a client as well!

/SA0BJW
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Portknocking by script.

Thu Oct 06, 2016 10:16 pm

Hmmm... This is interesting. I have a perl script to do the knock from unix...

I'm curious if you could use the fetch....

What I'm thinking is use fetch to fetch something on a random port... use layer 7 to analyze the address and match it to a secret key....

e.g. fetch http://<YOUR IP>:<PORT 1>/somedata .... then fetch http://<YOUR IP>:<PORT 2>/somedata2 ... use the port knocking via layer 7 rules....

I think it would work.... It's the only way I know of to have the mikrotik generate the knock....
/ip firewall layer7-protocol
add name=knock1 regexp="(GET \\/SOMERANDOMSTRING)"
add name=knock2 regexp="(GET \\/ANOTHERRANDOMSTRING)"

add action=add-src-to-address-list address-list=KnockStage1 address-list-timeout=2m chain=input comment="PortKnock #1" dst-port=9119 in-interface=ether01-gateway layer7-protocol=knock1 protocol=tcp
add action=add-src-to-address-list address-list=KnockStage2 address-list-timeout=2m chain=input comment="PortKnock #2" dst-port=9229 in-interface=ether01-gateway layer7-protocol=knock2 protocol=tcp src-address-list=KnockStage1
add action=accept chain=input comment="PortKnock Allow" in-interface=ether01-gateway src-address-list=KnockStage2

On the script side... would be something like....
/tool fetch host=<DYNIPHOST> src-path=SOMERANDOMSTRING mode=http port=9119 keep-result=no
/tool fetch host=<DYNIPHOST> src-path=ANOTHERRANDOMSTRING mode=http port=9229 keep-result=no
<CODE TO CONNECT VPN>
 
2frogs
Member
Member
Posts: 397
Joined: Fri Dec 03, 2010 1:38 am

Re: Portknocking by script.

Sat Oct 08, 2016 8:05 am

This will leave send errors in yoour logs, but will work for a port knocker.
/tool e-mail send server=ddns-or-ipaadress port=xxxx to=knock
/tool e-mail send server=ddns-or-ipaadress port=yyyy to=knock
/tool e-mail send server=ddns-or-ipaadress port=zzzz to=knock
 
SA0BJW
just joined
Topic Author
Posts: 18
Joined: Sun Jul 07, 2013 12:51 am

Re: Portknocking by script.

Wed Oct 26, 2016 10:50 pm

Thank you 2frogs for your answer. Have tested it and it works fine! Im sure the script efaden posted also works, shall try it out later.

Thanks!!!
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 924
Joined: Fri May 26, 2006 1:25 am

Re: Portknocking by script.

Sat Oct 13, 2018 4:51 am

/tool fetch host=<DYNIPHOST> src-path=SOMERANDOMSTRING mode=http port=9119 keep-result=no
/tool fetch host=<DYNIPHOST> src-path=ANOTHERRANDOMSTRING mode=http port=9229 keep-result=no

This is a good idea to trigger the dst device of your port-knocking, however be sure to do it like this:

:do {/tool fetch host=<DYNIPHOST> src-path=SOMERANDOMSTRING mode=http port=9119 keep-result=no} on-error={}
:do {/tool fetch host=<DYNIPHOST> src-path=SOMERANDOMSTRING mode=http port=9229 keep-result=no} on-error={}

For some un-explained reason rOS scripts just die/halt (with no logged error nor any indication) if any line/command fails or produces an error. seeing as both of these fetch commands will error out (ie run one from the command line direct = "status:failed"), the script will only execute the first line, but not the 2nd (nor anything beyond where the "failed" occurs).
Thus you wont get your port knocking effect since only the first line runs. (and will prob waste alot of time thinking something is wrong with your FW rules or your script).

(this is assuming you are not running HTTPd server on all the ports you are knocking, which no one is running ofcourse. so as expected /tool fetch mode=http produces "failed" as it cant connect to a valid http server. The un-expected part is that this will kill you script, thus add the :do ... on-error ).
:beep :beep :beep
 
User avatar
nickshore
Member
Member
Posts: 440
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Portknocking by script.

Sat Oct 13, 2018 11:50 am

You could use a variation on port knocking but using icmp and various packet sizes.

Then the client can use the ping command with size set to execute the knock

Hope that helps
Nick
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)

Who is online

Users browsing this forum: No registered users and 9 guests