Bekijk de volledige versie : knockd on WL-700gE and iptables

06-06-2007, 19:32
Hi, have anyone got knockd to work successfully?
I would like to do the following:
1. Disable ftp permanently via iptables
2. use knockd to enable ftp via iptables

Can anyone help me to describe how I should do this?

I have done a few tries with iptables but the router has ftp on by default even though its disabled within GUI on the shares.

Is there a way to use post-firewall with the 700gE?
I have tried to create the /usr/local/sbin catalog but have not permissions to write there, so should the post-firewall be elsewhere?

07-06-2007, 15:47
Get the package:
ipkg install knock

Then add to your rc.local:
# Modify Firewall
iptables -D INPUT -d -j ACCEPT -p tcp --dport 8081
iptables -D INPUT -j ACCEPT -p tcp --dport 21 -d my.fixed.i.p.
# Start knockd
/opt/bin/knockd -d -c /opt/etc/knockd.conf -i ppp0

This is my example for ssh, other ports are not open in my configuration because i don't trust ftp security. The knockd is just a way to stop people hammering my box.

this is my /opt/etc/knockd.conf

sequence = your, sequence, here
seq_timeout = 5
tcpflags = syn
start_command = /usr/sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
cmd_timeout = 25
stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

This opens access only to the knocking ip and closes access for new logins after 25 seconds.

Works fine:)

07-06-2007, 22:03
Thnx! Got it to work...

08-06-2007, 08:35
I am interested also, but where is this for:

# Modify Firewall
iptables -D INPUT -d -j ACCEPT -p tcp --dport 8081
iptables -D INPUT -j ACCEPT -p tcp --dport 21 -d my.fixed.i.p.


PS: what does knockd exactly do?

08-06-2007, 08:42
.... and how do i use this:

sequence = your, sequence, here


08-06-2007, 12:15
Hi Sollie, information about knockd: http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki also client software for the "knocking" part.

In short it opens ports of your choice if you "knock" the right sequence on ports either udp or tcp. This prevents bruteforcing because the ports are closed to everyone else. Sequence is ports to be knocked on in the right way, example: sequence = 2222:udp,3333:tcp,4444:udp

The iptable rows is for deleting the default iptable entries setting in router, knockd opens it when necessary on the right "knock" so it needs to be closed from start.

The iptables -D INPUT -d -j ACCEPT -p tcp --dport 8081 deletes the port 8081 access which shut downs the webtraffic (i dont use this) and the iptables -D INPUT -j ACCEPT -p tcp --dport 21 -d my.fixed.i.p. removes the possibility to access ftp from external address (my.fixed.i.p)

Hope this helps!


08-06-2007, 12:17
PS: what does knockd exactly do?


A port-knock server that listens to all traffic on a given network interface (only Ethernet and PPP are currently supported), looking for a special "knock" sequences of port-hits. A remote system makes these port-hits by sending a TCP (or UDP) packet to a port on the server. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

08-06-2007, 13:07
Thanks, i will install it right away. Ik like this for my ssh, ftp, daapd etc.