Portknock scripting

Squire · Fri Dec 15, 2017 5:27 pm

Good day,
So I want to run a script that almost listens(?) for a port knock on the log (yet to be added, if possible)
But I'm having problems getting my find comment then remove to work whats wrong with my script?

:local "address-list" "Knocked-LO"
:local "address-list" "Kick-lo"

:local "Kick-lo" [ /ip  firewall get [/ip firewall address-list find list="Knocked-LO"]]

:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
 [/ip firewall address-list remove [/ip  firewall address-list find list="Knocked-LO"]]
} else={
:log warning "no ones there"
}
:log warning "kicked all current added IPS"

Thanks

Squire · Mon Dec 18, 2017 9:52 am

So I've got it working however,
how do i get it do nothing when it cant find "kick-lo" ?

:local "address-list" "Knocked-LO"
:local "address-list" "Kick-lo"

:if ( 

:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
 [/ip firewall address-list remove [/ip  firewall address-list find list="Knocked-LO"]]
} else={
:log warning "no ones there"
}

:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
 [/ip firewall address-list remove [/ip  firewall address-list find list="Kick-lo"]]
:log warning "kicked all current added IPS"
}

kw12157 · Thu Dec 28, 2017 1:10 am

Why do you want to almost listen for a port knock?

I have implemented port knocking successfully and love it!

It is all done in the firewall rules, no scripts...

sebastia · Sun Dec 31, 2017 4:36 pm

Why do you want to almost listen for a port knock?

I have implemented port knocking successfully and love it!

It is all done in the firewall rules, no scripts...

Would you care to share the details so others could benefit/learn?

kw12157 · Sat Jan 13, 2018 6:36 pm

I require 3 knocks to access the router.
Example:
knock1 = 20000
knock2 = 30000
knock4 = 10000
Most port scanners scan from 1 to 65535. That is why I require 2 knocks going up and then 1 knock below them, all within 3 seconds.

This requires 3 Firewall Filter Rules:
1. add action=add-src-to-address-list address-list=Knock1 address-list-timeout=3s \
chain=input comment=Knock1 dst-port=30000 protocol=tcp
2. add action=add-src-to-address-list address-list=Knock2 address-list-timeout=3s \
chain=input comment=Knock2 dst-port=50000 protocol=tcp src-address-list=\
Knock1
3. add action=add-src-to-address-list address-list=Safe address-list-timeout=12h \
chain=input comment="Add to Safe" dst-port=10000 protocol=tcp \
src-address-list=Knock2

Then on your Firewall NAT rules that you want to deny access except after a successful knocking you add src-address-list=safe
Example:
add action=dst-nat chain=dstnat comment="RDP in to .200 with Knock" dst-port=\
3389 in-interface=ether1-WAN protocol=tcp src-address-list=Safe \
to-addresses=192.168.1.200 to-ports=3389

I hope this helps!
Kevin

sebastia · Sun Jan 14, 2018 2:22 am

thx for sharing!

Squire · Sun Apr 22, 2018 3:33 pm

Why do you want to almost listen for a port knock?

I have implemented port knocking successfully and love it!

It is all done in the firewall rules, no scripts...

whoops think i gave up on this and forgot i started this thread, anyway

What I want to do is when I port knock, say its called (kick-on-knock) on different ports eg, 1234, when that port has been knocked it want it run a script that deletes any existing established connections with name "Knocked-LO" on the address list then it will expire after say 1 or 2 seconds (1234)

Portknock scripting

Portknock scripting

Re: Portknock scripting

Re: Portknock scripting

Re: Portknock scripting

Re: Portknock scripting

Re: Portknock scripting

Re: Portknock scripting