Results 1 to 3 of 3

Thread: Port Knocking Problems.....

  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default Port Knocking Problems.....

    Hey everyone. I got a little situation going on. Recently I got a new router, flashed it with Linux and want to set it up for port knocking. So far I have had no success. Heres a detailed description of what I'm doing. Maybe someone can try it or look for a typo or something. It should work!

    he hardware I'm running it on is a Linksys WRT54GS v1.0 router running a copy of DD-WRT v24SP2. I used ipkg to install and its runtime. It would not install because it said the runtime files did not install, even though they did! I did a -force-depends and it seemed to go in well.

    I get to a SSH shell using putty and run this command:

    knockd -d -i vlan1 -c /jffs/etc/knockd.conf
    vlan1 is my WAN port (I think) cause it has my external IP if i do a Ifconfig.

    Then I look at Top -n 1 to see if its running and it shows:

    PID PPID USER STAT VSZ %MEM %CPU COMMAND
    2094 1 root S 924 3.1 0.0 knockd -d -i vlan1 -c /jffs/etc/knockd.conf
    So far everything seems good. I look at the knockd log:

    [2009-01-09 04:28] starting up, listening on vlan1
    Were doing good! I have my windows firewall turned off. Im knocking on a local computer in my LAN to my Exteral IP address.

    Heres my config file:

    [options]
    logfile = /tmp/logs/knockd.log

    [open]
    sequence = 1000:tcp,2000:tcp,3000:tcp
    seq_timeout = 10
    command = /usr/sbin/iptables -I INPUT -s %IP% -p tcp --dport 4444 -j ACCEPT
    tcpflags = syn

    [close]
    sequence = 3000:tcp,2000:tcp,1000:tcp
    seq_timeout = 10
    command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 4444 -j ACCEPT
    tcpflags = syn
    Its just a simple test to use knock on some ports to open port 4444 and then run the second sequence to close it. I need -I becuase thats what everyone says for DD-WRT. -A does not work eather.

    So everything seems good. I check my INPUT iptables:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    logaccept tcp -- anywhere anywhere tcp dpt:www
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp dpt:1723
    ACCEPT gre -- anywhere anywhere
    DROP udp -- anywhere anywhere udp dpt:route
    DROP udp -- anywhere anywhere udp dpt:route
    ACCEPT udp -- anywhere anywhere udp dpt:route
    logaccept tcp -- anywhere MyNetwork tcp dpt:22
    DROP icmp -- anywhere anywhere
    DROP igmp -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere state NEW
    logaccept 0 -- anywhere anywhere state NEW
    DROP 0 -- anywhere anywhere
    Do these look right?

    Now I go to a computer on my local LAN and run this batch file:

    @echo OFF
    CALL knock computerhelp.homeip.net 1000:tcp 2000:tcp 3000:tcp
    Then I check my iptables again:

    target prot opt source destination
    logaccept tcp -- anywhere anywhere tcp dpt:www
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp dpt:1723
    ACCEPT gre -- anywhere anywhere
    DROP udp -- anywhere anywhere udp dpt:route
    DROP udp -- anywhere anywhere udp dpt:route
    ACCEPT udp -- anywhere anywhere udp dpt:route
    logaccept tcp -- anywhere MyNetwork tcp dpt:22
    DROP icmp -- anywhere anywhere
    DROP igmp -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere state NEW
    logaccept 0 -- anywhere anywhere state NEW
    DROP 0 -- anywhere anywhere
    Yep, no changes. Then I review my log:

    [2009-01-09 04:28] starting up, listening on vlan1
    No change....its like the knocks arnt even getting there but if i run knock in verbose mode it says the ports were knocked.

    Any ideas, are my INPUT IPtables correct in the first place?

    Thanks for the help.

  2. #2
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    I'd try connecting to the 'vlan' iface IP first from the outside on a seperate port (do a netcat -vvvvvv <IP> port -L then telent/netcat to that port from the outside) just to ensure

    • That your not being blocked
    • Proper routing


    If you _can_ connect, then it's obviously a firewall issue or some sort of NAT issue (as vlan1 probably isn't being NAT'd right).
    dd if=/dev/swc666 of=/dev/wyze

  3. #3
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default

    Ok. I haven't had time try work with netcat yet...but I do have a update. I set the device back to Factory defaults and went to the control panel using https. Then I set up my web server and https breaks. It wont work on my LAN or on the WAN. I think it might have something to do with my port knocking problem.

    I run this on start up to set up my web server:

    killall httpd
    httpd -p 81 -h /www
    httpd -h /jffs/www
    /usr/sbin/iptables -I INPUT -p tcp --dport 80 -j logaccept
    /usr/sbin/iptables -I INPUT -p tcp -d 192.168.1.1 --dport 81 -j logaccept
    /usr/sbin/iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 81 -j DNAT --to 192.168.1.1:81
    I first kill the httpd process then reload it on port 81 for my http web administration and then i start it again for port 80 which is my custom website then I set the port 80 to the world. Finally I open up port 81 to the world for my http administration (since I cant get https going) then I configure NAT for port 81.

    Then thats where It gets confusing. I look at my iptables:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    logaccept tcp -- anywhere MJOLNIR tcp dpt:81
    logaccept tcp -- anywhere anywhere tcp dpt:www
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    DROP udp -- anywhere anywhere udp dpt:route
    DROP udp -- anywhere anywhere udp dpt:route
    ACCEPT udp -- anywhere anywhere udp dpt:route
    logaccept tcp -- anywhere MJOLNIR tcp dpt:https
    logaccept tcp -- anywhere MJOLNIR tcp dpt:22
    DROP icmp -- anywhere anywhere
    DROP igmp -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere state NEW
    logaccept 0 -- anywhere anywhere state NEW
    DROP 0 -- anywhere anywhere
    I can see from this table that:

    logaccept tcp -- anywhere MJOLNIR tcp dpt:https
    which means port 443 is open to the world?

    Then I look at my NAT tables:

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT tcp -- anywhere adsl-69-225-83-134.dsl.skt2ca.pacbell.net tcp dpt:81 to:192.168.1.1:11111
    DNAT tcp -- anywhere adsl-69-225-83-134.dsl.skt2ca.pacbell.net tcp dpt:33 to:192.168.1.1:443
    DNAT tcp -- anywhere adsl-69-225-83-134.dsl.skt2ca.pacbell.net tcp dpt:22 to:192.168.1.1:22222
    DNAT icmp -- anywhere adsl-69-225-83-134.dsl.skt2ca.pacbell.net to:192.168.1.1
    TRIGGER 0 -- anywhere adsl-69-225-83-134.dsl.skt2ca.pacbell.net TRIGGER type:dnat match:0 relate:0
    I can see that:

    adsl-69-225-83-134.dsl.skt2ca.pacbell.net tcp dpt:33 to:192.168.1.1:443
    DNAT tcp -- anywhere
    I think this means that Port 33 is what I want to use for port 443 trying to mask 443 from the world while opening 33. Hence forwarding port 33 to 443 right?

    But I tried doing:

    None of these work from the LAN or WAN. Can can anyone pin point what Im missing?

    I think this might have something to do with port knocking not working?

    EDIT: ------------------------------------------------------------------------

    Ok I got some good news. I finally found out what happoned to my https problem. After some posting and some reading, the answer finally hit me!

    Once i did a killall on the httpd services and started them backup, I started up the HTTP:80, HTTP:81 and I FORGOT to startup HTTP:443, aka httpd -S!!!!! Now it works like a charm!

    Im still working with my port knocking problem but least thats one more thing thats working right!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •