Don't like ads? PRO users don't see any ads ;-)
Public Pastes

Port knocker update.

By: cheako on Apr 26th, 2012  |  syntax: Diff  |  size: 6.18 KB  |  hits: 50  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Diff to Knock.pm from http://www.shorewall.net/ManualChains.html
  2.  
  3. Changes:
  4.  * Support for more then one port.
  5.  * Clear state if knock out of order.
  6.    - if too early.
  7.    - if too late.
  8.    - this will break you if using the same port more then once.
  9.  * Fixed issue with logging, where DROP would log even when nothing dropped.
  10.  * WARNING, rejects a correct knock.  This is a security (*)risk, but so
  11. is knock, and it's essential with the above out of order tests.
  12.  
  13. More robust, YMMV.
  14.  
  15. (*) My thinking is who is going to probe around after finding one port
  16. that rejects, if you have 3 or even 5 other ports it becomes impossible
  17. to do anything with this.  However one should note that this will lead
  18. to an easy crack if you just have one port.
  19.  
  20. A web page that will keep your Knock going so the port is always open,
  21. HTML 5 local storage enabled.
  22. http://pastebin.com/bzDgL5BN
  23.  
  24.   * This page depends on rejecting a correct knock, browsers don't
  25. time-out easily.
  26.  
  27. ===================================================================
  28. RCS file: Knock.pm,v
  29. retrieving revision 1.1
  30. diff -u -r1.1 Knock.pm
  31. --- Knock.pm    2012/04/26 16:44:39     1.1
  32. +++ Knock.pm    2012/04/27 04:39:48
  33. @@ -52,9 +52,9 @@
  34.    $name = 'Knock' . $name;
  35.  
  36.    # We want one chain for all Knock rules that share a 'name' field
  37. -  my $chainref = $chains_created{$name};
  38. +  my $chainref = $chains_created{"${name}_0"};
  39.    unless (defined $chainref) {
  40. -    $chainref = $chains_created{$name} = new_manual_chain($name);
  41. +    $chainref = $chains_created{"${name}_0"} = new_manual_chain("${name}_0");
  42.    }
  43.    
  44.    # Logging
  45. @@ -67,36 +67,97 @@
  46.                       '',
  47.                       $args->{log_tag} || '',
  48.                       'add',
  49. -                     "-p $proto --dport $port -m recent --rcheck --name $name"
  50. +                     "-p $proto --dport $port -m recent --rcheck --name ${name}_$#knocker_ports"
  51.                      );
  52. +    }
  53. +  }
  54. +
  55. +  # In this instance we make a chain for each port,
  56. +  # identified by it's index number.
  57. +
  58. +  # Reset chain handles failure, used now populated later.
  59. +  my $name_f = "${name}_f";
  60. +  my $chainref_f = $chains_created{$name_f};
  61. +  unless (defined $chainref_f) {
  62. +    $chainref_f = $chains_created{$name_f} = new_manual_chain($name_f);
  63. +  }
  64. +
  65. +  foreach my $trap (@trap_ports) {
  66. +    add_rule($chainref, "-p $proto --dport $trap -j $name_f");
  67. +  }
  68. +
  69. +  # Add the recent match rules to the correct chain
  70. +  for (my $index=0;$index<@knocker_ports;$index++) {
  71. +    my $knock = $knocker_ports[$index];
  72. +    my $_name = "${name}_$index";
  73. +    my $_namepp = "${name}_".($index+1);
  74. +    my $_namemm = "${name}_".($index-1);
  75. +    my $_chainref = $chains_created{$_name};
  76. +    unless (defined $_chainref) {
  77. +      $_chainref = $chains_created{$_name} = new_manual_chain($_name);
  78. +    }
  79. +    add_rule($chainref_f, "-m recent --name ${name}_$index --remove");
  80. +    # Auto-trap the other ports?
  81. +    # This will break you if using the same port more then once.
  82. +    # First the root collection has "not yet" masq.
  83. +    for (my $_index=$index+1;$_index<@knocker_ports;$_index++) {
  84. +      my $trap=$knocker_ports[$_index];
  85. +      # Port is too early check and pass to chain that clears state.
  86. +      add_rule($chainref, "-p $proto --dport $trap -m recent ! --rcheck --seconds $seconds --name ${name}_$index -j $name_f");
  87. +    }
  88. +    # Then for the ports where it is too late.
  89. +    for (my $_index=0;$_index<$index;$_index++) {
  90. +      my $trap=$knocker_ports[$_index];
  91. +      add_rule($_chainref, "-p $proto --dport $trap -j $name_f");
  92. +    }
  93. +    # This is the rule to catch the knock.
  94. +    add_rule($_chainref, "-p $proto --dport $knock -m recent --name $_name --set -j REJECT");
  95. +    # Add the rule(s) to pass any knock or target to the next chain, only 15 ports at a time.
  96. +    if ($index<$#knocker_ports) {
  97. +      unless (defined $chains_created{$_namepp}) {
  98. +        $chains_created{$_namepp} = new_manual_chain($_namepp);
  99. +      }
  100. +      push(my @all_dest_ports, @target, @knocker_ports);
  101. +      for (my $_index=0;$_index<$#all_dest_ports;$_index+=15) {
  102. +        my @_all_dest_ports = @all_dest_ports;
  103. +        my $all_dest_ports = join(',', splice(@_all_dest_ports, $_index, 15));
  104. +        add_rule($_chainref, "-p $proto -m multiport --dports $all_dest_ports -m recent --rcheck --seconds $seconds --name $_name -j $_namepp");
  105. +      }
  106. +    }
  107. +  }
  108. +
  109. +  # We only add the last port to the targest.
  110. +  foreach my $port (@target) {
  111. +    add_rule($chainref, "-p $proto --dport $port -m recent --rcheck --seconds $seconds --name ${name}_$#knocker_ports -j ACCEPT");
  112. +  }
  113.  
  114. +  # Logging
  115. +  if ($args->{log_level}) {
  116. +    foreach my $port (@target) {
  117.        log_rule_limit($args->{log_level},
  118.                       $chainref,
  119.                       'Knock',
  120. -                     'DROP',
  121. +                     'Filtered',
  122.                       '',
  123.                       $args->{log_tag} || '',
  124.                       'add',
  125.                       "-p $proto --dport ! $port"
  126.                      );
  127.      }
  128. +    log_rule_limit($args->{log_level},
  129. +                     $chainref_f,
  130. +                     'Knock',
  131. +                     'DROP',
  132. +                     '',
  133. +                     $args->{log_tag} || '',
  134. +                     'add', ''
  135. +                    );
  136.    }
  137. -
  138. -  # Add the recent match rules to the manual chain
  139. -  foreach my $knock (@knocker_ports) {
  140. -    add_rule($chainref, "-p $proto --dport $knock -m recent --name $name --set -j DROP");
  141. -  }
  142. -
  143. -  foreach my $trap (@trap_ports) {
  144. -    add_rule($chainref, "-p $proto --dport $trap -m recent --name $name --remove -j DROP");
  145. -  }
  146. -
  147. -  foreach my $port (@target) {
  148. -    add_rule($chainref, "-p $proto --dport $port -m recent --rcheck --seconds $seconds --name $name -j ACCEPT");
  149. -  }
  150. +  add_rule($chainref_f, "-j DROP");
  151.  
  152.    # And add a rule to the main chain(s) to jump into the manual chain at the appropriate points
  153. -  my $all_dest_ports = join(',', @target, @knocker_ports, @trap_ports);
  154. +  push(my @all_dest_ports, @target, @knocker_ports, @trap_ports);
  155. +  my $all_dest_ports = join(',', @all_dest_ports);
  156.    shorewall "$chainref->{name} $src $dest $proto $all_dest_ports - $original_dest";
  157.  
  158.    return 1;
create a new version of this paste RAW Paste Data