Hi there,
On Wed, Jan 16, 2013 at 11:08:15PM -0500, jug...@lavabit.com wrote:
[...]
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -I 6 -p tcp --dport 22 -j
ACCEPT
tcpflags = syn
cmd_timeout = 25
[...]
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[...]
BTW, I have the following line in `iptables':
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
I don't have a physical access to the machine. So I decided to keep
the rule and close it from a client:
client$ knock <ip> 9000 8000 7000
Unfortunately, I still can connect to the SSH port.
Did I make a mistake somewhere?
I've spotted that the rules aren't exactly identical, which is required
by iptables to delete the rule you want. Lining them all up together:
-A INPUT -I 6 -p tcp --dport 22 -j ACCEPT
-D INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
The -A and -D at the beginning stand for Adding and Deleting a rule, so
they do need to be different. However, the rest of the commands clearly
aren't identical: while I think "-m tcp" is brought in automatically by
"-p tcp" and can be ignored, you're certainly missing the "-m state
--state NEW" portion in your config file. So let's try changing the
commands in your config file to be:
[openSSH]
...
command = /sbin/iptables -I INPUT -p tcp -m state --state NEW -m
tcp --dport 22 -j ACCEPT
[closeSSH]
...
command = /sbin/iptables -D INPUT -p tcp -m state --state NEW -m
tcp --dport 22 -j ACCEPT
These commands match what you've already got in the firewall. If your
firewall received that rule on system startup, then knockd's config will
continue to be valid across reboots.
Finally, can I suggest that if you don't have physical access, perhaps
it's worth testing your setup with something other than the SSH port?
For example, if you aren't already running a webserver, install a tiny
one and test all the above rules with port 80 instead. Even if the
webserver just gives you a 404 error, you'd still know if the firewall
rules were working properly.
With the configuration you've provided, you were extremely lucky that
the deletion command didn't work; this is because "-A INPUT -I 6" in
your addition command is invalid syntax and causes iptables to refuse to
do anything. You may have meant "-I INPUT 6" and I have used "-I INPUT"
to simplify things further.
Hope this helps,
Andy
--
Dr Andrew Alderwick
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130117070139.ga23...@alderwick.co.uk
