An Easy Tutorial on IP Tables and Port Knocking

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Do you wish you had access to your home file server without leaving your firewall wide open to attacks? Well today’s your lucky day! While you can implement this on any OS its easiest to do this on Linux. This article will show you how to lock down your firewall and implement a port knocker to let you in.

We are going to achieve this using a Linux firewall and server, SLED 10.1 to be exact. Yes, you will be playing around with config files, but I’ll give you a template you can work with so you can just copy/paste and change the things you need to change.

Before we get started you need to install some things along with the OS. Mainly:

C/C++ Compiler and Tools Pattern
Common Code Base (for certification) Pattern
kernel-source Package
kernel-syms Package

You can install these tools through YaST2, just make sure you have the install cd/dvd with you and remember to resolve dependencies.

The first thing you have to do is configure both network cards. That’s right, I said “both.” You need to have two network cards in this box to let it run as a firewall. You need to configure one as “internal” and one as “external.” Again, you can do this through YaST2.

While your there, make sure the “External” card has no ports open and your internal one has all the ports open. The external card is the one that’s going to be interfacing with the Internet and as such is the one running the firewall. If you can’t figure out which card is which open a terminal, do an su - to change to root and type in ifconfig. Note the MAC addresses for each card (probably eth0 and eth1) and then compare them to the MACs you see in the YaST2 configuration screen. If your ISP gave you a static IP address, configure that in the external card as well, or else set up that card to optain its IP address with DHCP. The set up should eventually look like this: modem->SLED Server (a.k.a. firewall)->router->other computers.

I’m going to skip the rest of the card configuration steps; it’s not that hard just play around with it. You need to set up your internal card to either give out IP addresses, or just put the IP address of your second card into the default gateway of your router. Go crazy and experiment, the worst that will happen is you need to reinstall or reset your router.

Next: Configuration 101 »

Now to secure your firewall. The YaST2 firewall is very nice except for one part. There are two types of packets that aren’t treated the the same way. For every other packet, if the port is closed when it’s sent to you, the firewall just eats them. To an attacker it just looks like the packets sent didn’t hit anything and therefore there is no computer there.

For ICMP type 8 and IDENT packets, however, the firewall will send a response saying the port is closed and would you kindly please start attacking me because you now know someone is here. In order for the firewall to treat those packets like any other, you need to add an entry to the IP tables. open a console, su - into root, cd into /etc/sysconfig/scripts, start a text editor to open SuSEfirewall2-custom. Now, just copy and paste the following into the fw_custom_after_antispoofing()section of the document.

###################################################
#
# Start
# Rules to make the host invisible on the Internet
#
###################################################

# Setup new chain
iptables -N INVISIBLE

# Drop incoming ICMP packets
#(Note: uses $FW_DEV_EXT variable setup in main SuSEfirewall2 script)

iptables -A INVISIBLE -p icmp -i $FW_DEV_EXT -m state --state NEW -m icmp --icmp-type 8 -j DROP

# Drop identd packets from unknown hosts
iptables -A INVISIBLE -p tcp --dport 113 -m state --state NEW -j DROP

# Send the packets I want to examine further to my INVISIBLE chain
iptables -A INPUT -p icmp -i $FW_DEV_EXT -m state --state NEW -j INVISIBLE
iptables -A INPUT -p tcp --dport 113 -j INVISIBLE
###################################################
#
# End
# Rules to make the host invisible on the Internet
#
###################################################

While your at it, copy this as well and put it right under the previous code:

###################################################
#
# Start Port Knocking Configuration
#
###################################################

#Enter the 4 ports used as the port knocking combination
TOKEN1="10"
TOKEN2="20"
TOKEN3="30"
TOKEN4="40"

#Enter the port to open after successful know
OPENPORT="22"

#Enter the number of seconds the port will remain open waiting for you to connect
OPENTIMER="10"
iptables -N TOKEN1CHAIN
iptables -A TOKEN1CHAIN -m recent --name TOKEN1A --remove
iptables -A TOKEN1CHAIN -m recent --name TOKEN2A --remove
iptables -A TOKEN1CHAIN -m recent --name TOKEN3A --remove
iptables -A TOKEN1CHAIN -m recent --name TOKEN4A --remove
iptables -A TOKEN1CHAIN -m recent --name TOKEN1A --set
iptables -A TOKEN1CHAIN -m recent --name TOKEN1B --set
iptables -A TOKEN1CHAIN -j LOG --log-prefix "TOKEN1 Received: "
iptables -N PRE-TOKEN2CHAIN
iptables -A PRE-TOKEN2CHAIN -p tcp --dport $TOKEN2 -m recent --rcheck --name TOKEN1A -j RETURN
iptables -A PRE-TOKEN2CHAIN -p tcp --dport $TOKEN1 -m recent --name TOKEN1B --remove -j RETURN
iptables -A PRE-TOKEN2CHAIN -m recent --name TOKEN1A --remove
iptables -A PRE-TOKEN2CHAIN -j LOG --log-prefix "VIOLATION AFTER TOKEN1: "
iptables -N TOKEN2CHAIN
iptables -A TOKEN2CHAIN -m recent --name TOKEN1A --remove
iptables -A TOKEN2CHAIN -m recent --name TOKEN2A --set
iptables -A TOKEN2CHAIN -m recent --name TOKEN2B --set
iptables -A TOKEN2CHAIN -j LOG --log-prefix "TOKEN2 Received: "
iptables -N PRE-TOKEN3CHAIN
iptables -A PRE-TOKEN3CHAIN -p tcp --dport $TOKEN3 -m recent --rcheck --name TOKEN2A -j RETURN
iptables -A PRE-TOKEN3CHAIN -p tcp --dport $TOKEN2 -m recent --name TOKEN2B --remove -j RETURN
iptables -A PRE-TOKEN3CHAIN -m recent --name TOKEN2A --remove
iptables -A PRE-TOKEN3CHAIN -j LOG --log-prefix "VIOLATION ATFER TOKEN2: "
iptables -N TOKEN3CHAIN
iptables -A TOKEN3CHAIN -m recent --name TOKEN2A --remove
iptables -A TOKEN3CHAIN -m recent --name TOKEN3A --set
iptables -A TOKEN3CHAIN -m recent --name TOKEN3B --set
iptables -A TOKEN3CHAIN -j LOG --log-prefix "TOKEN3 Received: "
iptables -N PRE-TOKEN4CHAIN
iptables -A PRE-TOKEN4CHAIN -p tcp --dport $TOKEN4 -m recent --rcheck --name TOKEN3A -j RETURN
iptables -A PRE-TOKEN4CHAIN -p tcp --dport $TOKEN3 -m recent --name TOKEN3B --remove -j RETURN
iptables -A PRE-TOKEN4CHAIN -m recent --name TOKEN3A --remove
iptables -A PRE-TOKEN4CHAIN -j LOG --log-prefix "VIOLATION AFTER TOKEN3: "
iptables -N TOKEN4CHAIN
iptables -A TOKEN4CHAIN -m recent --name TOKEN3A --remove
iptables -A TOKEN4CHAIN -m recent --name TOKEN4A --set
iptables -A TOKEN4CHAIN -m recent --name TOKEN4B --set
iptables -A TOKEN4CHAIN -m recent --name TOKEN4C --set
iptables -A TOKEN4CHAIN -j LOG --log-prefix "TOKEN4 Received: "
iptables -N PRE-OPENPORT
iptables -A PRE-OPENPORT -p tcp --dport $OPENPORT -m recent --rcheck --name TOKEN4C -j LOG --log-prefix "TOKEN OK: "
iptables -A PRE-OPENPORT -p tcp --dport $OPENPORT -m recent --name TOKEN4C --remove
iptables -A PRE-OPENPORT -p tcp --dport $OPENPORT -m recent --rcheck --name TOKEN4A -j RETURN
iptables -A PRE-OPENPORT -p tcp --dport $TOKEN4 -m recent --name TOKEN4B --remove -j RETURN
iptables -A PRE-OPENPORT -m recent --name TOKEN4A --remove
iptables -A PRE-OPENPORT -j LOG --log-prefix "VIOLATION AFTER TOKEN4: "
iptables -A INPUT -p tcp --dport $TOKEN1 -m recent --set --name TOKEN1A -j TOKEN1CHAIN
iptables -A INPUT -m recent --rcheck --name TOKEN1A -j PRE-TOKEN2CHAIN
iptables -A INPUT -p tcp --dport $TOKEN2 -m recent --rcheck --name TOKEN1A -j TOKEN2CHAIN
iptables -A INPUT -m recent --rcheck --name TOKEN2A -j PRE-TOKEN3CHAIN
iptables -A INPUT -p tcp --dport $TOKEN3 -m recent --rcheck --name TOKEN2A -j TOKEN3CHAIN
iptables -A INPUT -m recent --rcheck --name TOKEN3A -j PRE-TOKEN4CHAIN
iptables -A INPUT -p tcp --dport $TOKEN4 -m recent --rcheck --name TOKEN3A -j TOKEN4CHAIN
iptables -A INPUT -m recent --rcheck --name TOKEN4A -j PRE-OPENPORT
iptables -A INPUT -p tcp --dport $OPENPORT -m recent --rcheck --seconds $OPENTIMER --name TOKEN4A -j ACCEPT

###################################################
#
# End Port Knocking Configuration
#
###################################################

Change the Token numberfrom 10, 20, 30, 40 to any other numbers you want up to 1024. Think of this combination of numbers as your access code, because it is. This is the combination of numbers you will feed to your firewall to let you in, so remember them.

The other things you need to change before you restart your firewall are here:

Edit /etc/sysconfig/SuSEfirewall2 and change FW_CUSTOMRULES="" to FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom", and FW_DEV_EXT="any eth-id-xx:xx:xx:xx:xx:xx" to FW_DEV_EXT="eth0" or FW_DEV_EXT="eth1"(Use the correct name for your external interface, remembering the setting from YaST2.)
Restart the firewall service by issuing the following commands from a terminal as root:
```
SuSEfirewall2 stop
SuSEfirewall2 start
```

Bam: totally secure firewall that will let you through. How do you use it? Well, use differs depending on if you’re trying to connect from a Linux box or from a Windows box, but the concept is the same. We can demonstrate the use from the aspect of a Windows machine, since that is the slightly more complicated setup.

Next: Connecting to Windows »

To establish an SSH tunnel you need to download cygwin. You can get this Linux emulator from http://www.cygwin.com. Run the setup, choose to install from the internet, save it in c: and choose a mirror site to download from. At this point you’ll see a long list of stuff you can download and install. Expand Net, and choose to install “curl” and “openssh”.

Curl will allow you to throw a packet to a designated port on your firewall exactly once. So what you will do is set up a batch file to throw four packets at your firewall in order, to the four port numbers you specified earlier as your tokens. This will open the ssh port on your firewall for 10 seconds. at the end of your batch file it will call an ssh configuration file to establish the encrypted ssh tunnel so you can access your network. Its just that easy. just make sure that all the batch files, configuration files, and cygwin directory are in your c: directory.

Here is an example of the batch file and the configuration file.

cygwinbincurl -s -m 1 http://"IPADDRESS":"TOKEN1"
cygwinbincurl -s -m 1 http://"IPADDRESS":"TOKEN2"
cygwinbincurl -s -m 1 http://"IPADDRESS":"TOKEN3"
cygwinbincurl -s -m 1 http://"IPADDRESS":"TOKEN4"
cygwinbinssh "username"@"IP ADDRESS" -F "config file name"

The config file would look like this:

# Create a tunnel to access my private web server (192.168.0.10)
LocalForward 127.168.0.10:80 192.168.0.10:80

# Create a tunnel to access ssh on my web server (192.168.0.10)
LocalForward 127.168.0.10:22 192.168.0.10:22

# Create a tunnel to access the remote desktop on a Windows XP system (192.168.0.20)
LocalForward 127.168.0.20:3389 192.168.0.20:3389

To save as a batch file open Notepad, copy the code and when you save it give it a .bat extension. The “username” has to be an account no the computer you are trying to access, and the IP address is just that, the IP address of the computer you are connecting to.

If you are just trying to connect to a file server and don’t care about the firewall portion of this you will probably have to port forward port 22 in your router. The IPADDRESS in the batch file refers to the IP of the server as well; however, the 192.168.*.* address is your homes INTERNAL address. So after making the SSH connection to your server, you can either access things on your server oryou can go through the tunnel and touch other computers on your network. Suddenly, an encrypted tunnel for a remote desktop session with your computer at home without leaving your network wide open is a real possibility!

If you would like to be able to do this from any computer you sit down at then save your batch file, your configuration file, and cygwin to the root of a USB thumb drive. Just pop in the drive and run it from there to get an automatic connection.

Matt Waldo is an Instructor at TouchStone Technology, Beaverton, OR.

This article was first published on LinuxPlanet.com.