Tuesday, October 14, 2014

Solution to Knockd won't work / open port in iptables

I had a struggle to get Portknocking with knockd to work on my Ubuntu 14.04 VPS. I've read and followed a lot of instructions, Ubuntus instruction among these. But nothing seemed to help me out here.

I did check my knockd log located to /var/log/knockd.log and the configuration for activating the knockd commands seemed to work. But I always ended up with "command returned non-zero status code (a number)"

So what I figured out that it had to do something with the start_command and stop_command that didn't do the job correctly. Everywhere I could read that you were "supposed to" control the IP tables by having e.g.
start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
If it was say to open up the SSH-default port 22. But that didn't work for me.
The first I did was to check if /sbin/iptables even existed and it didn't. No wonder why nothing happen with my iptables configuration...

So one solution to this was for me to create two shell script to configure the iptables for me.
I created a knock-open.sh containing this.
#!/bin/sh 
iptables -I INPUT 1 -s $1 -p tcp -m tcp --dport 22 -j ACCEPT
Then I created a knock-close.sh:
#!/bin/sh
iptables -D INPUT -s $1 -p tcp -m tcp --dport 22 -j ACCEPT
And my knockd.conf-file (/etc/knockd.conf), I configured it like this:
[options] 
logfile = /var/log/knockd.log 
[SSH] 
sequence      = 1212:udp,3861:tcp,8721:udp 
seq_timeout   = 5 
tcpflags      = syn 
start_command = sh /var/scripts/knock-open.sh %IP% 
cmd_timeout   = 20 
stop_command  = sh /var/scripts/knock-close.sh %IP%
So this did the trick for me. After restarting the daemon (service knockd restart) and knocking the sequence ports, iptables was now configured correctly and working with knockd.

I hope this solution helps someone out there who's struggling with knockd and iptables.

No comments:

Post a Comment