Page 1 of 1
Portknock scripting
Posted: Fri Dec 15, 2017 5:27 pm
by Squire
Good day,
So I want to run a script that
almost listens(?) for a port knock on the log (yet to be added, if possible)
But I'm having problems getting my find comment then remove to work whats wrong with my script?
:local "address-list" "Knocked-LO"
:local "address-list" "Kick-lo"
:local "Kick-lo" [ /ip firewall get [/ip firewall address-list find list="Knocked-LO"]]
:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
[/ip firewall address-list remove [/ip firewall address-list find list="Knocked-LO"]]
} else={
:log warning "no ones there"
}
:log warning "kicked all current added IPS"
Thanks
Re: Portknock scripting
Posted: Mon Dec 18, 2017 9:52 am
by Squire
So I've got it working however,
how do i get it do nothing when it cant find "kick-lo" ?
:local "address-list" "Knocked-LO"
:local "address-list" "Kick-lo"
:if (
:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
[/ip firewall address-list remove [/ip firewall address-list find list="Knocked-LO"]]
} else={
:log warning "no ones there"
}
:if ( [/ip firewall address-list find list=$"Kick-lo" ] = "" ) do={
[/ip firewall address-list remove [/ip firewall address-list find list="Kick-lo"]]
:log warning "kicked all current added IPS"
}
Re: Portknock scripting
Posted: Thu Dec 28, 2017 1:10 am
by kw12157
Why do you want to almost listen for a port knock?
I have implemented port knocking successfully and love it!
It is all done in the firewall rules, no scripts...
Re: Portknock scripting
Posted: Sun Dec 31, 2017 4:36 pm
by sebastia
Why do you want to almost listen for a port knock?
I have implemented port knocking successfully and love it!
It is all done in the firewall rules, no scripts...
Would you care to share the details so others could benefit/learn?
Re: Portknock scripting
Posted: Sat Jan 13, 2018 6:36 pm
by kw12157
I require 3 knocks to access the router.
Example:
knock1 = 20000
knock2 = 30000
knock4 = 10000
Most port scanners scan from 1 to 65535. That is why I require 2 knocks going up and then 1 knock below them, all within 3 seconds.
This requires 3 Firewall Filter Rules:
1. add action=add-src-to-address-list address-list=Knock1 address-list-timeout=3s \
chain=input comment=Knock1 dst-port=30000 protocol=tcp
2. add action=add-src-to-address-list address-list=Knock2 address-list-timeout=3s \
chain=input comment=Knock2 dst-port=50000 protocol=tcp src-address-list=\
Knock1
3. add action=add-src-to-address-list address-list=Safe address-list-timeout=12h \
chain=input comment="Add to Safe" dst-port=10000 protocol=tcp \
src-address-list=Knock2
Then on your Firewall NAT rules that you want to deny access except after a successful knocking you add src-address-list=safe
Example:
add action=dst-nat chain=dstnat comment="RDP in to .200 with Knock" dst-port=\
3389 in-interface=ether1-WAN protocol=tcp src-address-list=Safe \
to-addresses=192.168.1.200 to-ports=3389
I hope this helps!
Kevin
Re: Portknock scripting
Posted: Sun Jan 14, 2018 2:22 am
by sebastia
thx for sharing!
Re: Portknock scripting
Posted: Sun Apr 22, 2018 3:33 pm
by Squire
Why do you want to almost listen for a port knock?
I have implemented port knocking successfully and love it!
It is all done in the firewall rules, no scripts...
whoops think i gave up on this and forgot i started this thread, anyway
What I want to do is when I port knock, say its called (kick-on-knock) on different ports eg, 1234, when that port has been knocked it want it run a script that deletes any existing established connections with name "Knocked-LO" on the address list then it will expire after say 1 or 2 seconds (1234)