[Firehol-support] Port knocking AND forwarding
Costa Tsaousis
costa at tsaousis.gr
Thu Mar 23 19:20:54 GMT 2006
Johan Herland wrote:
> Hi,
>
> I have a firewall (A) in front of a workstation (B) running an SSH
> server. I'd like to set up port forwarding from A to B for the SSH
> service (something like "dnat to ${A_addr}:22 inface ${inet_inface}
> proto tcp dport 2222"), but I also want this forward to be protected by
> a port knocking sequence (similar to "server ssh accept with knock
> foo", except that this is not a local server).
>
> What is the best way to set this up so that:
> 1. Before the secret knock is done, all connections to port 2222 are
> dropped at the firewall.
> 2. Once the knock is sent, Connections to port 2222 on A are forwarded
> to port 22 on B, until the traffic is stopped by a closing knock, or a
> timeout.
> 3. When the knock has been closed, all new connections are dropped as in
> point (1), while established connections (SSH sessions initiated in
> point (2)) continue to work.
>
>
> Thanks for your help.
>
> ...Johan
>
>
Hi,
Do the DNAT permanently so that traffic will always attempt to reach the
internal SSH server.
In the router definition use the server statement you mention to allow
or block the connection with knockd.
Costa
More information about the Firehol-support
mailing list