Port
Posted: Wed Mar 21, 2007 2:23 am
Where can I define other ports than /ip service ?, I`m trying to configure port knocking in port 48220 but can`t define them.
Thanks.
Thanks.
Page 1 of 1
Posted: Wed Mar 21, 2007 7:56 am
The /ip service items are really control of daemons on the router to provide services, like the web interface or the ftp server. You really want to use a firewall rule (or rules) with a specific port and action 'add src address to list' to allow in the knocking user.
Posted: Wed Mar 21, 2007 12:38 pm
indeed, /ip firewall filter is your answer and just use action - add src to list
Posted: Sat Mar 24, 2007 8:44 am
Yes, I tried to use /ip firewall filter with a different ports but doesn`t work.
Can you paste me an example please ?.
Thanks a lot.
Can you paste me an example please ?.
Thanks a lot.
Posted: Sat Mar 24, 2007 4:54 pm
You need to have a cascade of rules for example:
UDP port 2021 -> add src to list A
UDP port 2022 and src is on list A -> add src to list B
UDP port 2023 and src is on list B -> add src to list ALlowed
UDP port 2021 -> add src to list A
UDP port 2022 and src is on list A -> add src to list B
UDP port 2023 and src is on list B -> add src to list ALlowed
Posted: Wed Apr 04, 2007 9:28 pm
Yes, but I want to do a port knocking only one port.
UDP port 2021 -> add src to list A
Permit List A for 15 minutes
Then, I must use telnet to this port ?? (like "telnet 192.168.1.1 2021")
In this momento I use port knocking but with http port ....
Thanks !.
UDP port 2021 -> add src to list A
Permit List A for 15 minutes
Then, I must use telnet to this port ?? (like "telnet 192.168.1.1 2021")
In this momento I use port knocking but with http port ....
Thanks !.
Posted: Thu Apr 05, 2007 10:09 pm
It would be more like:
UDP port 2021 -> add src to list A with 15 min timeout
Permit list A
UDP port 2021 -> add src to list A with 15 min timeout
Permit list A
Posted: Thu Apr 05, 2007 10:50 pm
Take a look please:
19 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa dst-port=2021 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=15m
20 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept
21 ;;; Logueo Resto Intentos SSH
chain=input protocol=tcp dst-port=22 action=log log-prefix="ssh_denegado"
22 ;;; Dropeo Resto SSH
chain=input protocol=tcp dst-port=22 action=drop
Then, from remote computer I put:
c:\telnet my_router 2021
... and the rule does´t match, the remote IP doesn`t appear in ssh_ok list.
What I`m doing wrong ?.
Thanks !
19 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa dst-port=2021 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=15m
20 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept
21 ;;; Logueo Resto Intentos SSH
chain=input protocol=tcp dst-port=22 action=log log-prefix="ssh_denegado"
22 ;;; Dropeo Resto SSH
chain=input protocol=tcp dst-port=22 action=drop
Then, from remote computer I put:
c:\telnet my_router 2021
... and the rule does´t match, the remote IP doesn`t appear in ssh_ok list.
What I`m doing wrong ?.
Thanks !
Posted: Thu Apr 05, 2007 11:28 pm
It would be more like:
UDP port 2021 -> add src to list A with 15 min timeout
Permit list A
UDP port 2021 -> add src to list A with 15 min timeout
Permit list A
Posted: Fri Apr 06, 2007 11:37 pm
You need a protocol specification. The rule cannot look into the IP packet to get a port until it knows if it's a TCP, UDP, etc. Try the following:
19 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa protocol=tcp dst-port=2021 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=15m
19 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa protocol=tcp dst-port=2021 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=15m
Posted: Sat Apr 07, 2007 2:40 pm
JJCinAZ, doesn`t work ...
Posted: Sat Apr 07, 2007 5:03 pm
Try this rule:
/ip firewall filter
add chain=input in-interface=externa protocol=udp dst-port=2021 action=add-src-to-address-list address-list=ssh_ok \
comment="Permito SSH - Port Knocking SSH - Interface Externa" address-list-timeout=15m
/ip firewall filter
add chain=input in-interface=externa protocol=udp dst-port=2021 action=add-src-to-address-list address-list=ssh_ok \
comment="Permito SSH - Port Knocking SSH - Interface Externa" address-list-timeout=15m
Make sure to place this rule above any rule that block inputs to the router.20 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept
Posted: Sat Apr 07, 2007 5:19 pm
No skill ...
Take a look of my firewall rules:
[admin@mk] ip firewall filter> print input
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Permito SSH desde la LAN
chain=input in-interface=interna src-address=192.168.1.0/24 protocol=tcp dst-port=22 action=accept
1 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa protocol=udp dst-port=2031 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=5m
2 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept
3 ;;; Logueo Resto Intentos SSH
chain=input protocol=tcp dst-port=22 action=log log-prefix="ssh_denegado"
4 ;;; Dropeo Resto SSH
chain=input protocol=tcp dst-port=22 action=drop
Then, from a remote computer:
C:\Documents and Settings\>telnet my_mk 2031
Connecting To my_mk...Could not open connection to the host, on port 2031: Connect failed
And nothing happend:
ip firewall address-list> print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
Thanks a lot.
Take a look of my firewall rules:
[admin@mk] ip firewall filter> print input
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Permito SSH desde la LAN
chain=input in-interface=interna src-address=192.168.1.0/24 protocol=tcp dst-port=22 action=accept
1 ;;; Permito SSH - Port Knocking SSH - Interface Externa
chain=input in-interface=externa protocol=udp dst-port=2031 action=add-src-to-address-list address-list=ssh_ok
address-list-timeout=5m
2 ;;; Acepto SSH Verificado - Port Knocking
chain=input in-interface=externa protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept
3 ;;; Logueo Resto Intentos SSH
chain=input protocol=tcp dst-port=22 action=log log-prefix="ssh_denegado"
4 ;;; Dropeo Resto SSH
chain=input protocol=tcp dst-port=22 action=drop
Then, from a remote computer:
C:\Documents and Settings\>telnet my_mk 2031
Connecting To my_mk...Could not open connection to the host, on port 2031: Connect failed
And nothing happend:
ip firewall address-list> print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
Thanks a lot.
Posted: Sat Apr 07, 2007 5:44 pm
fpascual,
you defined the 'knocking' to port 2031 with UDP, but telnet uses TCP, hence you can not use a telnet to port 2031 to do the knocking...
You'd need a special tool that sends a UDP packet to port 2031, or change the knocking rule to use TCP, then you can use telnet just like you did.
--Tom
you defined the 'knocking' to port 2031 with UDP, but telnet uses TCP, hence you can not use a telnet to port 2031 to do the knocking...
You'd need a special tool that sends a UDP packet to port 2031, or change the knocking rule to use TCP, then you can use telnet just like you did.
--Tom
Posted: Sat Apr 07, 2007 5:50 pm
This command will telnet to "my_mk" on TCP port 2031 whereas, the router is listening on UDP port 2031. So, the source IP will not be added to "ssh-ok". You must knock on UDP port 2031 for this to work. Alternatively, change the protocol to TCP in your rule 1, then the telnet command will work.Then, from a remote computer:
C:\Documents and Settings\>telnet my_mk 2031
Connecting To my_mk...Could not open connection to the host, on port 2031: Connect failed
And nothing happend:
Posted: Sat Apr 07, 2007 5:54 pm
tneumann took the words out of my mind 
Posted: Sat Apr 07, 2007 6:22 pm
Yes, before I try with TCP and doesn`t work.
Is correct use "telnet mk_ip port" to activate knocking ???, I think this is my problem.
Thanks to all.
Is correct use "telnet mk_ip port" to activate knocking ???, I think this is my problem.
Thanks to all.