Gentoo Archives: gentoo-security

From: Jeff Gercken <JeffG@×××××.com>
To: gentoo-security@l.g.o
Subject: RE: [gentoo-security] port knocking
Date: Thu, 20 Oct 2005 19:53:59
My versions of gateway portknocking:

First script:
If you log in w/ ssh (pki only) from the wireless segment
(, an entry for your IP address is added to iptables.
When you log out, the entry is removed.  I know it's ugl but it works
well.  If the script is restarted any existing iptable entries will
obviously get orphaned.  This only works because there si no dns
resolution for the wireless segment, otherwise `who` will resolve the
addresses and bad things will happen.

#! /usr/bin/env python
import string,os,time
# Dictionary value explaination (key is IP) # I= insert into iptables,
user logged in # D= delete from iptables, user disconnected # L= don't
do anything, user is still logged in master={} while (1):
    for i in master.keys():
        master[i]="D"  #First assume everybody left #
    loggedIn=os.popen("who | grep 192.168.33 | sed 's/.*(\(.*\))/\1/g' |
sort -u") #
    for i in loggedIn.readlines():
        if master.has_key(i):
            master[i]="L" #leave this IP in iptables (change "D" value)
        else: master[i]="I" #insert this IP in iptables (new key) #
    for i in master.keys():
        if master[i] == 'L':
            print 'ignoring IP: '+i
        elif master[i] == 'I':
            print 'new IP: '+i
            os.popen("/sbin/iptables -I FORWARD -p all -s "+i+" -j
            print 'removing IP: '+i
            os.popen("/sbin/iptables -D FORWARD -p all -s "+i+" -j

Second Script:
This script is a bit more complicated.  An entry is added to iptables to
match icmp traffic to and log it.  Syslog-ng will filter The
trigger in this script is and your mac address (grepped from
arp -a) is added to the iptables leaf wireless2net (I use shorewall).

#!/bin/env python
# filename: /usr/sbin/
import os,time
print "Flush the iptables chain or create it if it doesn't exist"
a=os.popen('/sbin/iptables -F wless_portknock || /sbin/iptables -N
wless_portknock') print "Check to see if chain is included in
wireless2net chain"
if os.popen('/sbin/iptables -L  wireless2net | grep
wless_portknock').readlines()==[]: os.popen('/sbin/iptables -I
wireless2net 2 -j wless_portknock')

print 'starting loop'
while (1):
    for r in os.popen('grep "`/usr/bin/date  +"%b %e"`"
/var/log/portknock | cut -d " " -f8 | cut -d "=" -f2 | sort
        if len(r)==0:continue
        i=os.popen('arp -an | grep '+r+'| cut -d " " -f4').readline()
        if master.has_key(i):continue
            print 'adding mac '+i+' which belongs to IP '+r
            a3=os.popen("/sbin/iptables -I wless_portknock -p all -j
ACCEPT -m mac --mac-source "+i)

The relevent entry in the shorewall rules file

ACCEPT:info:pnoc        wireless        net:

The relevent parts of syslog-ng.conf

destination portknock { file("/var/log/portknock"); }; filter
f_portknock { match ("Shorewall:wireless2net:ACCEPT"); }; log {
source(src); filter(f_portknock); destination(portknock); };

I tried to use tagging but the field gets trunicated so syslog-ng never
sees it.

At midnight cron runs the following reset script:

echo > /var/log/portknock
kill `pgrep -f`
python /usr/sbin/

Like I said, it's complicated.  Don't forget to touch /var/log/portknock


-----Original Message-----
From: boger [mailto:boger@×××.ru] 
Sent: Tuesday, October 11, 2005 2:00 PM
To: gentoo-security@l.g.o
Subject: [gentoo-security] port knocking

This is result of last week discussion about port knockers.
Its my second bash script (first is my firewall), so any feedback will
be appreshiated ;) 

usage: ./ <config file name> del Path to config file is
constant in
 del - is optional, simply deletes target chain 

script has no limits on knock sequences, and demands statefull filtering
enabled ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j


gentoo-security@g.o mailing list