[Firehol-support] Port knocking AND forwarding

Costa Tsaousis costa at tsaousis.gr
Thu Mar 23 19:20:54 GMT 2006

Johan Herland wrote:
> Hi,
> I have a firewall (A) in front of a workstation (B) running an SSH 
> server. I'd like to set up port forwarding from A to B for the SSH 
> service (something like "dnat to ${A_addr}:22 inface ${inet_inface} 
> proto tcp dport 2222"), but I also want this forward to be protected by 
> a port knocking sequence (similar to "server ssh accept with knock 
> foo", except that this is not a local server).
> What is the best way to set this up so that:
> 1. Before the secret knock is done, all connections to port 2222 are 
> dropped at the firewall.
> 2. Once the knock is sent, Connections to port 2222 on A are forwarded 
> to port 22 on B, until the traffic is stopped by a closing knock, or a 
> timeout.
> 3. When the knock has been closed, all new connections are dropped as in 
> point (1), while established connections (SSH sessions initiated in 
> point (2)) continue to work.
> Thanks for your help.
> ...Johan

Do the DNAT permanently so that traffic will always attempt to reach the 
internal SSH server.
In the router definition use the server statement you mention to allow 
or block the connection with knockd.


More information about the Firehol-support mailing list