Crear tres reglas en un chain aparte port_knock
en IP -> Firewall
copiando y pegando lo siguiente en una terminal:
/ip firewall filter add action=add-src-to-address-list address-list=PORT_KNOCK_J1 address-list-timeout=20s chain=port_knock dst-address-type=local dst-port=666 protocol=tcp src-address-list=!PORT_KNOCK_J1
/ip firewall filter add action=add-src-to-address-list address-list=PORT_KNOCK_J2 address-list-timeout=20s chain=port_knock dst-address-type=local dst-port=888 protocol=tcp src-address-list=PORT_KNOCK_J1
/ip firewall filter add action=add-src-to-address-list address-list=SOPORTE_REMOTO address-list-timeout=8h chain=port_knock dst-address-type=local dst-port=777 protocol=tcp src-address-list=PORT_KNOCK_J2
Luego poner una regla adicional en la primera posición en el chain input, con un jump al chain port_knock recién creado:
/ip firewall filter add action=jump chain=input comment="Port knocking para SOPORTE_REMOTO - Secuencia 666, 888, 777" connection-state=new dst-address-type=local dst-port=666,888,777 jump-target=port_knock protocol=tcp place-before=1
Listo para copiar y pegar:
/ip firewall filter add action=add-src-to-address-list address-list=PORT_KNOCK_J1 address-list-timeout=20s chain=port_knock dst-address-type=local dst-port=666 protocol=tcp src-address-list=!PORT_KNOCK_J1
/ip firewall filter add action=add-src-to-address-list address-list=PORT_KNOCK_J2 address-list-timeout=20s chain=port_knock dst-address-type=local dst-port=888 protocol=tcp src-address-list=PORT_KNOCK_J1
/ip firewall filter add action=add-src-to-address-list address-list=SOPORTE_REMOTO address-list-timeout=8h chain=port_knock dst-address-type=local dst-port=777 protocol=tcp src-address-list=PORT_KNOCK_J2
/ip firewall filter add action=jump chain=input comment="Port knocking para SOPORTE_REMOTO - Secuencia 666, 888, 777" connection-state=new dst-address-type=local dst-port=666,888,777 jump-target=port_knock protocol=tcp place-before=1
Testear desde Linux/Mac:
nc -vvv ip_del_router 666
nc -vvv ip_del_router 888
nc -vvv ip_del_router 777
desde Windows:
telnet -vvv ip_del_router 666
telnet -vvv ip_del_router 888
telnet -vvv ip_del_router 777
En IP -> Firewall -> Address List
debe haber una entrada SOPORTE_REMOTO
con la dirección IP desde donde ejecutamos nc
, o bien, la IP de un router intermedio que está haciendo MASQUERADE
(por el amor de Perkele mas vale que tenga un puerto fijado en la regla de NAT
).
Gracias a Diego Shulz por este tutorial.