Eu tenho trabalhado com um problema no iptables:
Eu estou tentando fazer um retrato aberto para um IP específico por x segundos / minutos como resultado de um único pacote sendo enviado para uma porta específica.
Não exatamente para portknocking, mas mesmo princípio - no entanto, não consigo fazer funcionar. Aqui está o que eu fiz até agora - eu posso ter entendido mal algo completamente, já que comecei a trabalhar com firewalls e especialmente com o iptables.
O código:
######### UPnP ###########
#Opens up for all udp ports on local network - not so good.
#-A INPUT -s 10.10.10.254/24 -i eno1 -p udp -m udp -j ACCEPT
#Opens for the needed ports for syncthing but still too many
#-A INPUT -s 10.10.10.254/24 -i eno1 -p udp --match multiport --dports 40000:65000 -j ACCEPT
#allows for related ports to be opened along with ones already established. Does not work
-A INPUT -s 10.10.10.254/24 -i eno1 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
###### Opening op selected portrange when udp package is received on port 1900 for x seconds
#Creating chain STATE0-1
-N STATE0
-A INPUT -j STATE0
#Opening and receiving package from port 1900
-A STATE0 -s 10.10.10.254/24 -i eno1 -m state --state NEW -p udp -m udp --dport 1900 -m recent --name UPnPpacket --set -j ACCEPT
-A STATE0 -j DROP
-N STATE1
#Looking at recent with name UPnPpacket and if it exists open ports 40000:65000 for 10 seconds
###
#-A STATE1 -s 10.10.10.254/24 -i eno1 -m state --state NEW -p udp --match multiport --dports 40000:65000 -m recent --rcheck --seconds 10 --name UPnPpacket -j ACCEPT
###
#trying this instead
-A STATE1 -m recent --name UPnPpacket --remove
-A STATE1 -s 10.10.10.254/24 -i eno1 -p udp --match multiport --dports 40000:65000 -j ACCEPT
-A STATE1 -j STATE0
Como você pode ver, estou tentando fazer o UPnP funcionar com o arch linux ... Não é uma tarefa fácil que eu possa adicionar :-)
Felicidades,
------------ ########## -----------
ATUALIZAÇÃO:
########################################
######### UPnP ###########
#allows for related ports to be opened along with ones already established. Does not work on its own
-A INPUT -s 10.10.10.254/24 -i eno1 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
#Open up for the multicast discovery (THESE SHOULD BE DELETED ONE BY ONE TO TEST WHICH ARE NEEDED)
-A INPUT -i eno1 -d 224.0.0.0/8 -p igmp -j ACCEPT
-A INPUT -i eno1 -s 0.0.0.0/32 -d 224.0.0.1/32 -p igmp -j ACCEPT
-A INPUT -p igmp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Upon a udp package being received on port 1900 from the local subnet
# the port range 40000:65000 is opened for 30 seconds.
#0 Create chain and give packages received name
-N INTO-PHASE2
#3 Take all packages arriving in chain INTO-PHASE2 and rename them from PHASE1 to PHASE 2 and log the event
-A INTO-PHASE2 -m recent --name PHASE1 --remove
-A INTO-PHASE2 -m recent --name PHASE2 --set
-A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: "
#1 Name incoming packages
-A INPUT -s 10.10.10.254/24 -p udp -m recent --update --name PHASE1
#1 Name packages from port 1900 from local subnet and name it PHASE1
-A INPUT -s 10.10.10.254/24 -i eno1 -p udp -m udp --dport 1900 -m recent --set --name PHASE1 -j INTO-PHASE2
# Check for whether a package received on portrange has a sender with the same IP as sender of package PHASE1, if so, pass package into the INTO-PHASE2 chain.
-A INPUT -s 10.10.10.254/24 -p udp --match multiport --dports 30000:65000 -m recent --rcheck --name PHASE1 -j ACCEPT
# Check packages arriving at portrange from local subnet to see if they have the name "PHASE2" - they they do and they are recent open accepting all packages the portrange for 30 seconds
-A INPUT -s 10.10.10.254/24 -p udp --match multiport --dports 30000:65000 -m recent --rcheck --seconds 30 --name PHASE2 -j ACCEPT
#test
#-A INPUT -s 10.10.10.254/24 -p udp --match multiport --dports 30000:65000 -j ACCEPT
#############
Eu não sei qual é o problema, mas o pacote é recebido e aceito em 1900 udp, no entanto, ele se recusa a abrir op o retrato ...