Port

fpascual · Wed Mar 21, 2007 2:23 am

Where can I define other ports than /ip service ?, I`m trying to configure port knocking in port 48220 but can`t define them.

Thanks.

JJCinAZ · Wed Mar 21, 2007 7:56 am

The /ip service items are really control of daemons on the router to provide services, like the web interface or the ftp server. You really want to use a firewall rule (or rules) with a specific port and action 'add src address to list' to allow in the knocking user.

janisk · Wed Mar 21, 2007 12:38 pm

indeed, /ip firewall filter is your answer and just use action - add src to list

fpascual · Sat Mar 24, 2007 8:44 am

Yes, I tried to use /ip firewall filter with a different ports but doesn`t work.
Can you paste me an example please ?.

Thanks a lot.

JJCinAZ · Sat Mar 24, 2007 4:54 pm

You need to have a cascade of rules for example:

UDP port 2021 -> add src to list A
UDP port 2022 and src is on list A -> add src to list B
UDP port 2023 and src is on list B -> add src to list ALlowed

fpascual · Wed Apr 04, 2007 9:28 pm

Yes, but I want to do a port knocking only one port.

UDP port 2021 -> add src to list A
Permit List A for 15 minutes

Then, I must use telnet to this port ?? (like "telnet 192.168.1.1 2021")

In this momento I use port knocking but with http port ....

Thanks !.

JJCinAZ · Thu Apr 05, 2007 10:09 pm

It would be more like:

UDP port 2021 -> add src to list A with 15 min timeout
Permit list A

fpascual · Thu Apr 05, 2007 10:50 pm

Take a look please:

19 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa dst-port=2021 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=15m

20 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept

21 ;;; Logueo Resto Intentos SSH
chain=input protocol=tcp dst-port=22 action=log log-prefix="ssh_denegado"

22 ;;; Dropeo Resto SSH
chain=input protocol=tcp dst-port=22 action=drop

Then, from remote computer I put:

c:\telnet my_router 2021

... and the rule does´t match, the remote IP doesn`t appear in ssh_ok list.

What I`m doing wrong ?.

Thanks !

JJCinAZ · Thu Apr 05, 2007 11:28 pm

It would be more like:

UDP port 2021 -> add src to list A with 15 min timeout
Permit list A

JJCinAZ · Fri Apr 06, 2007 11:37 pm

You need a protocol specification. The rule cannot look into the IP packet to get a port until it knows if it's a TCP, UDP, etc. Try the following:

19 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa protocol=tcp dst-port=2021 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=15m

fpascual · Sat Apr 07, 2007 2:40 pm

JJCinAZ, doesn`t work ...

skillful · Sat Apr 07, 2007 5:03 pm

Try this rule:

/ip firewall filter
add chain=input in-interface=externa protocol=udp dst-port=2021 action=add-src-to-address-list address-list=ssh_ok \
comment="Permito SSH - Port Knocking SSH - Interface Externa" address-list-timeout=15m

20 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept

Make sure to place this rule above any rule that block inputs to the router.

fpascual · Sat Apr 07, 2007 5:19 pm

No skill ...

Take a look of my firewall rules:

[admin@mk] ip firewall filter> print input
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Permito SSH desde la LAN
chain=input in-interface=interna src-address=192.168.1.0/24 protocol=tcp dst-port=22 action=accept

1 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa protocol=udp dst-port=2031 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=5m

2 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept

3 ;;; Logueo Resto Intentos SSH
chain=input protocol=tcp dst-port=22 action=log log-prefix="ssh_denegado"

4 ;;; Dropeo Resto SSH
chain=input protocol=tcp dst-port=22 action=drop

Then, from a remote computer:

C:\Documents and Settings\>telnet my_mk 2031
Connecting To my_mk...Could not open connection to the host, on port 2031: Connect failed

And nothing happend:

ip firewall address-list> print
Flags: X - disabled, D - dynamic
# LIST ADDRESS

Thanks a lot.

tneumann · Sat Apr 07, 2007 5:44 pm

fpascual,

you defined the 'knocking' to port 2031 with UDP, but telnet uses TCP, hence you can not use a telnet to port 2031 to do the knocking...

You'd need a special tool that sends a UDP packet to port 2031, or change the knocking rule to use TCP, then you can use telnet just like you did.

--Tom

skillful · Sat Apr 07, 2007 5:50 pm

Then, from a remote computer:

C:\Documents and Settings\>telnet my_mk 2031
Connecting To my_mk...Could not open connection to the host, on port 2031: Connect failed

And nothing happend:

This command will telnet to "my_mk" on TCP port 2031 whereas, the router is listening on UDP port 2031. So, the source IP will not be added to "ssh-ok". You must knock on UDP port 2031 for this to work. Alternatively, change the protocol to TCP in your rule 1, then the telnet command will work.

skillful · Sat Apr 07, 2007 5:54 pm

tneumann took the words out of my mind

fpascual · Sat Apr 07, 2007 6:22 pm

Yes, before I try with TCP and doesn`t work.
Is correct use "telnet mk_ip port" to activate knocking ???, I think this is my problem.

Thanks to all.