Port knocking example: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 104: Line 104:
   }
   }
}
}
</syntax>
</source>

Revision as of 09:17, 27 April 2018

Link to original nftables script is here.

Knocking sequence, in this example below, are TCP ports: 123, 234, 345 and 456. 

#!/usr/bin/env nft -f
flush ruleset

table ip Inet4 {
  set Knocked_1 {
    type ipv4_addr
    flags timeout
    timeout 10s
    gc-interval 4s
  }
  set Knocked_2 {
    type ipv4_addr
    flags timeout
    timeout 10s
    gc-interval 4s
  }
  set Knocked_3 {
    type ipv4_addr
    flags timeout
    timeout 10s
    gc-interval 4s
  }
  set Knocked_4 {
    type ipv4_addr
    flags timeout
    timeout 2m
    gc-interval 4s
  }

  chain Knock_1 {
    set add ip saddr @Knocked_1
  }
  chain Unknock_1 {
    set update ip saddr timeout 0s @Knocked_1
  }
  chain Knock_2 {
    set update ip saddr timeout 0s @Knocked_1
    set add ip saddr @Knocked_2
  }
  chain Unknock_2 {
    set update ip saddr timeout 0s @Knocked_2
  }
  chain Knock_3 {
    set update ip saddr timeout 0s @Knocked_2
    set add ip saddr @Knocked_3
  }
  chain Unknock_3 {
    set update ip saddr timeout 0s @Knocked_3
  }
  chain Knock_4 {
    set update ip saddr timeout 0s @Knocked_3
    set add ip saddr @Knocked_4 log prefix "Port-Knock accepted: "
  }

  chain RefreshKnock {
    set update ip saddr timeout 2m @Knocked_4
  }

  chain PortKnock {
    ct state new ip saddr @Knocked_4 goto RefreshKnock
    tcp dport 456 ct state new ip saddr @Knocked_3 goto Knock_4
    tcp dport 345 ct state new ip saddr @Knocked_3 return
    ip saddr @Knocked_3 ct state new goto Unknock_3
    tcp dport 345 ct state new ip saddr @Knocked_2 goto Knock_3
    tcp dport 234 ct state new ip saddr @Knocked_2 return
    ip saddr @Knocked_2 ct state new goto Unknock_2
    tcp dport 234 ct state new ip saddr @Knocked_1 goto Knock_2
    tcp dport 123 ct state new ip saddr @Knocked_1 return
    ip saddr @Knocked_1 ct state new goto Unknock_1
    tcp dport 123 ct state new goto Knock_1
  }

  chain FilterIn {
    type filter hook input priority 0
    policy drop

    # allow established/related connections
    ct state established,related accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    meta iif lo accept

    # allow icmp
    ip protocol icmp accept

    # port-knocking
    jump PortKnock

    # misc. filtering
    # ...
  }

  chain FilterOut {
    type filter hook output priority 0
    policy accept
  }
}
Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Port_knocking_example&oldid=312"