Gentoo Logo
Gentoo Spaceship

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
To: <gentoo-security@g.o>
From: "Jeff Gercken" <JeffG@...>
Subject: RE: port knocking
Date: Thu, 20 Oct 2005 15:42:38 -0400
My versions of gateway portknocking:

First script:
If you log in w/ ssh (pki only) from the wireless segment
(, an entry for your IP address is added to iptables.
When you log out, the entry is removed.  I know it's ugl but it works
well.  If the script is restarted any existing iptable entries will
obviously get orphaned.  This only works because there si no dns
resolution for the wireless segment, otherwise `who` will resolve the
addresses and bad things will happen.

#! /usr/bin/env python
import string,os,time
# Dictionary value explaination (key is IP) # I= insert into iptables,
user logged in # D= delete from iptables, user disconnected # L= don't
do anything, user is still logged in master={} while (1):
    for i in master.keys():
        master[i]="D"  #First assume everybody left #
    loggedIn=os.popen("who | grep 192.168.33 | sed 's/.*(\(.*\))/\1/g' |
sort -u") #
    for i in loggedIn.readlines():
        if master.has_key(i):
            master[i]="L" #leave this IP in iptables (change "D" value)
        else: master[i]="I" #insert this IP in iptables (new key) #
    for i in master.keys():
        if master[i] == 'L':
            print 'ignoring IP: '+i
        elif master[i] == 'I':
            print 'new IP: '+i
            os.popen("/sbin/iptables -I FORWARD -p all -s "+i+" -j
            print 'removing IP: '+i
            os.popen("/sbin/iptables -D FORWARD -p all -s "+i+" -j

Second Script:
This script is a bit more complicated.  An entry is added to iptables to
match icmp traffic to and log it.  Syslog-ng will filter The
trigger in this script is and your mac address (grepped from
arp -a) is added to the iptables leaf wireless2net (I use shorewall).

#!/bin/env python
# filename: /usr/sbin/
import os,time
print "Flush the iptables chain or create it if it doesn't exist"
a=os.popen('/sbin/iptables -F wless_portknock || /sbin/iptables -N
wless_portknock') print "Check to see if chain is included in
wireless2net chain"
if os.popen('/sbin/iptables -L  wireless2net | grep
wless_portknock').readlines()==[]: os.popen('/sbin/iptables -I
wireless2net 2 -j wless_portknock')

print 'starting loop'
while (1):
    for r in os.popen('grep "`/usr/bin/date  +"%b %e"`"
/var/log/portknock | cut -d " " -f8 | cut -d "=" -f2 | sort
        if len(r)==0:continue
        i=os.popen('arp -an | grep '+r+'| cut -d " " -f4').readline()
        if master.has_key(i):continue
            print 'adding mac '+i+' which belongs to IP '+r
            a3=os.popen("/sbin/iptables -I wless_portknock -p all -j
ACCEPT -m mac --mac-source "+i)

The relevent entry in the shorewall rules file

ACCEPT:info:pnoc        wireless        net:

The relevent parts of syslog-ng.conf

destination portknock { file("/var/log/portknock"); }; filter
f_portknock { match ("Shorewall:wireless2net:ACCEPT"); }; log {
source(src); filter(f_portknock); destination(portknock); };

I tried to use tagging but the field gets trunicated so syslog-ng never
sees it.

At midnight cron runs the following reset script:

echo > /var/log/portknock
kill `pgrep -f`
python /usr/sbin/

Like I said, it's complicated.  Don't forget to touch /var/log/portknock


-----Original Message-----
From: boger [mailto:boger@...] 
Sent: Tuesday, October 11, 2005 2:00 PM
To: gentoo-security@g.o
Subject: [gentoo-security] port knocking

This is result of last week discussion about port knockers.
Its my second bash script (first is my firewall), so any feedback will
be appreshiated ;) 

usage: ./ <config file name> del Path to config file is
constant in
 del - is optional, simply deletes target chain 

script has no limits on knock sequences, and demands statefull filtering
enabled ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j


gentoo-security@g.o mailing list

Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
RE: port knocking
Next by thread:
postfix and SASL
Previous by date:
Re: prelude-lml and log_prefix_regex
Next by date:
SELinux support Reiserfs?

Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.