使用 iptables 进行端口敲击

Question

这是一种方法（使用'最近的' 模块）：我将把它变成一个“社区维基”，以便在需要时进行更正。

# set default policy for INPUT chain to DROP
iptables -P INPUT DROP

# accept all local traffic
iptables -A INPUT -i lo -j ACCEPT

# accept all the already-established connections
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# add more of your own rules here...

# at the end, redirect all the packets into the KNOCKING chain
# this makes it easy to quickly enable/disable KNOCKING chain, if need be
iptables -A INPUT -j KNOCKING

# if the src ip is already authenticated, accept it
iptables -A KNOCKING -m recent --rcheck --seconds 60 --reap --name knockfinal -j ACCEPT

# if the packet is not authenticated and the first port knock is correct
# add the src ip into the 'knock1' list
iptables -A KNOCKING -p tcp -m tcp --dport 1111 -m recent --set --name knock1 -j DROP

# if the src ip is already in the 'knock1' list (with the expiry time of 10 seconds)
# and the 2nd port knock is correct, add the src ip to the 'knock2' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock1 -m tcp --dport 2222 -m recent --set --name knock2 -j DROP

# if the src ip is already in the 'knock2' list (with the expiry time of 10 seconds)
# and the 3rd port knock is correct, add the src ip to the 'knock3' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock2 -m tcp --dport 3333 -m recent --set --name knock3 -j DROP

# if the src ip is already in the 'knock3' list (with the expiry time of 10 seconds)
# and the 4th port knock is correct, add the src ip to the 'knockfinal' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock3 -m tcp --dport 4444 -m recent --set --name knockfinal -j DROP

# otherwise, we don't do anything and the default INPUT policy will drop the packet

更简洁的格式如下：

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# add more of your own rules here...
iptables -A INPUT -j KNOCKING

iptables -A KNOCKING -m recent --rcheck --seconds 60 --reap --name knockfinal -j ACCEPT
iptables -A KNOCKING -p tcp -m tcp --dport 1111 -m recent --set --name knock1 -j DROP
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock1 -m tcp --dport 2222 -m recent --set --name knock2 -j DROP
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock2 -m tcp --dport 3333 -m recent --set --name knock3 -j DROP
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock3 -m tcp --dport 4444 -m recent --set --name knockfinal -j DROP

Answer 1

这是一种方法（使用'最近的' 模块）：我将把它变成一个“社区维基”，以便在需要时进行更正。

# set default policy for INPUT chain to DROP
iptables -P INPUT DROP

# accept all local traffic
iptables -A INPUT -i lo -j ACCEPT

# accept all the already-established connections
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# add more of your own rules here...

# at the end, redirect all the packets into the KNOCKING chain
# this makes it easy to quickly enable/disable KNOCKING chain, if need be
iptables -A INPUT -j KNOCKING

# if the src ip is already authenticated, accept it
iptables -A KNOCKING -m recent --rcheck --seconds 60 --reap --name knockfinal -j ACCEPT

# if the packet is not authenticated and the first port knock is correct
# add the src ip into the 'knock1' list
iptables -A KNOCKING -p tcp -m tcp --dport 1111 -m recent --set --name knock1 -j DROP

# if the src ip is already in the 'knock1' list (with the expiry time of 10 seconds)
# and the 2nd port knock is correct, add the src ip to the 'knock2' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock1 -m tcp --dport 2222 -m recent --set --name knock2 -j DROP

# if the src ip is already in the 'knock2' list (with the expiry time of 10 seconds)
# and the 3rd port knock is correct, add the src ip to the 'knock3' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock2 -m tcp --dport 3333 -m recent --set --name knock3 -j DROP

# if the src ip is already in the 'knock3' list (with the expiry time of 10 seconds)
# and the 4th port knock is correct, add the src ip to the 'knockfinal' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock3 -m tcp --dport 4444 -m recent --set --name knockfinal -j DROP

# otherwise, we don't do anything and the default INPUT policy will drop the packet

更简洁的格式如下：

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# add more of your own rules here...
iptables -A INPUT -j KNOCKING

iptables -A KNOCKING -m recent --rcheck --seconds 60 --reap --name knockfinal -j ACCEPT
iptables -A KNOCKING -p tcp -m tcp --dport 1111 -m recent --set --name knock1 -j DROP
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock1 -m tcp --dport 2222 -m recent --set --name knock2 -j DROP
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock2 -m tcp --dport 3333 -m recent --set --name knock3 -j DROP
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock3 -m tcp --dport 4444 -m recent --set --name knockfinal -j DROP

使用 iptables 进行端口敲击

答案1

相关内容