Hey everyone. I got a little situation going on. Recently I got a new router, flashed it with Linux and want to set it up for port knocking. So far I have had no success. Heres a detailed description of what I'm doing. Maybe someone can try it or look for a typo or something. It should work!

he hardware I'm running it on is a Linksys WRT54GS v1.0 router running a copy of DD-WRT v24SP2. I used ipkg to install and its runtime. It would not install because it said the runtime files did not install, even though they did! I did a -force-depends and it seemed to go in well.

I get to a SSH shell using putty and run this command:

knockd -d -i vlan1 -c /jffs/etc/knockd.conf
vlan1 is my WAN port (I think) cause it has my external IP if i do a Ifconfig.

Then I look at Top -n 1 to see if its running and it shows:

PID PPID USER STAT VSZ %MEM %CPU COMMAND
2094 1 root S 924 3.1 0.0 knockd -d -i vlan1 -c /jffs/etc/knockd.conf
So far everything seems good. I look at the knockd log:

[2009-01-09 04:28] starting up, listening on vlan1
Were doing good! I have my windows firewall turned off. Im knocking on a local computer in my LAN to my Exteral IP address.

Heres my config file:

[options]
logfile = /tmp/logs/knockd.log

[open]
sequence = 1000:tcp,2000:tcp,3000:tcp
seq_timeout = 10
command = /usr/sbin/iptables -I INPUT -s %IP% -p tcp --dport 4444 -j ACCEPT
tcpflags = syn

[close]
sequence = 3000:tcp,2000:tcp,1000:tcp
seq_timeout = 10
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 4444 -j ACCEPT
tcpflags = syn
Its just a simple test to use knock on some ports to open port 4444 and then run the second sequence to close it. I need -I becuase thats what everyone says for DD-WRT. -A does not work eather.

So everything seems good. I check my INPUT iptables:

Chain INPUT (policy ACCEPT)
target prot opt source destination
logaccept tcp -- anywhere anywhere tcp dpt:www
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
logaccept tcp -- anywhere MyNetwork tcp dpt:22
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
logaccept 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Do these look right?

Now I go to a computer on my local LAN and run this batch file:

@echo OFF
CALL knock computerhelp.homeip.net 1000:tcp 2000:tcp 3000:tcp
Then I check my iptables again:

target prot opt source destination
logaccept tcp -- anywhere anywhere tcp dpt:www
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
logaccept tcp -- anywhere MyNetwork tcp dpt:22
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
logaccept 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Yep, no changes. Then I review my log:

[2009-01-09 04:28] starting up, listening on vlan1
No change....its like the knocks arnt even getting there but if i run knock in verbose mode it says the ports were knocked.

Any ideas, are my INPUT IPtables correct in the first place?

Thanks for the help.