open port in iptables for specific lenght of time

Jonathan Billings jsbillin at umich.edu
Tue Jun 7 15:31:17 UTC 2011 

On Tue, Jun 07, 2011 at 09:33:44AM -0500, Steven Buehler wrote:
> We have a system that is locked down and you have to use a key to get ssh
> access to it.  We have employees and customers that are on dynamic IP's that
> keep switching.  They don't have root access.  What I am trying to do is
> create a script that they can log into and it will get their current IP
> address and open the firewall for a specified length of time. Once open,
> they would still have to use their public/private key to ssh into it.  I
> agree this isn't perfect, but it is better than just leaving that port open
> to the world all the time.


You probably want to use the "recent" module.

You need to add something like this to your /etc/sysconfig/iptables:

# this is necessary to allow already connected sessions
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
# simple port knocking
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12345 -m recent --set --name remotessh --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --rcheck --seconds 300 --name remotessh --rsource -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited


This is a simple "knock" that requires that you send a packet to port
12345 on the host (it doesn't matter if it fails.  You could simply
hit http://hostname:12345/ and it would work.)  Once you've done that,
you have 5 minutes (300 seconds) to connect to the SSH port.  Once
you've connected, all further traffic is granted by the
RELATED,ESTABLISHED state rule at the top, which is probably already
in your iptables rules.  Any other connections are blocked.

The 'recent' module publishes the currently "allowed" IPs in
/proc/net/ipt_recent/remotessh (for this example in RHEL5) if you want
to monitor it somehow.  In newer kernels on Fedora, it's
/proc/net/xt_recent/. 

If you're really paranoid, you can change the 2 port knocking lines above into:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 12344 -m recent --remove --name remotessh --rsource 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12345 -m recent --set --name remotessh --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12346 -m recent --remove --name remotessh --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --rcheck --seconds 300 --name remotessh --rsource -j ACCEPT

This way, if someone port-scans the host, they won't get added to the
list of allowed ports because it'll be immediately removed as the port
scans are typically traversing ports incrementally.

-- 
Jonathan Billings <jsbillin at umich.edu>
College of Engineering - CAEN - Unix and Linux Support

More information about the redhat-list mailing list