apt-get update
# We want to make ensure to allow all established connections and on-going sessions through the firewall, otherwise, the firewall would block the current SSH session
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Then use the following rule to block incoming port 22 (SSH)
iptables -A INPUT -p tcp --destination-port 22 -j DROP
# Once you have established your iptables rules, you can automate the restore process at reboot with iptables-persistent.
apt-get install iptables-persistent
# save current configuration
iptables-save
# install knockd
apt-get install knockd
# edit knockd configuration
nano /etc/knockd.conf
# change the knock sequence with your favorite (and available) ports
# change:
# /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
# to:
# /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT
# so the rules will be inserted on top, before the blocking rule.
# edit default to activate knockd
nano /etc/default/knockd
# pass "START_KNOCKD" to 1
# don't forget to change KNOCKD_OPTS if your interface differs
# save it
service knockd start
# install
brew install knock
# edit
nano ~/.zshrc
knockIn() {
knock -v -d 200 $1 1000 2000 3000
}
knockOut() {
knock -v -d 200 $1 3000 2000 1000
}
sshWithKnock() {
knockIn $1
ssh $1
knockOut $1
}
yourServer() {
sshWithKnock yourServer.com
}
# save
# reload
source ~/.zshrc
# enjoy!
myServer
Sources