Skip to content

Instantly share code, notes, and snippets.

@pdrok

pdrok/port_knocking_simple.md

Last active November 29, 2019 14:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pdrok/25ce2598c2b8b53a28bcb8b0e6269661 to your computer and use it in GitHub Desktop.
Save pdrok/25ce2598c2b8b53a28bcb8b0e6269661 to your computer and use it in GitHub Desktop.
Download ZIP
Configurar port knocking para acceder el router desde un ip no registrado previamente
Raw
port_knocking_simple.md

Reglas para liberar acceso usando port knocking con RouterOS

Crear tres reglas en un chain aparte port_knock en IP -> Firewall copiando y pegando lo siguiente en una terminal:

/ip firewall filter add action=add-src-to-address-list address-list=PORT_KNOCK_J1 address-list-timeout=20s chain=port_knock dst-address-type=local dst-port=666 protocol=tcp src-address-list=!PORT_KNOCK_J1
/ip firewall filter add action=add-src-to-address-list address-list=PORT_KNOCK_J2 address-list-timeout=20s chain=port_knock dst-address-type=local dst-port=888 protocol=tcp src-address-list=PORT_KNOCK_J1
/ip firewall filter add action=add-src-to-address-list address-list=SOPORTE_REMOTO address-list-timeout=8h chain=port_knock dst-address-type=local dst-port=777 protocol=tcp src-address-list=PORT_KNOCK_J2

Luego poner una regla adicional en la primera posición en el chain input, con un jump al chain port_knock recién creado:

/ip firewall filter add action=jump chain=input comment="Port knocking para SOPORTE_REMOTO - Secuencia 666, 888, 777" connection-state=new dst-address-type=local dst-port=666,888,777 jump-target=port_knock protocol=tcp place-before=1

Listo para copiar y pegar:

/ip firewall filter add action=add-src-to-address-list address-list=PORT_KNOCK_J1 address-list-timeout=20s chain=port_knock dst-address-type=local dst-port=666 protocol=tcp src-address-list=!PORT_KNOCK_J1
/ip firewall filter add action=add-src-to-address-list address-list=PORT_KNOCK_J2 address-list-timeout=20s chain=port_knock dst-address-type=local dst-port=888 protocol=tcp src-address-list=PORT_KNOCK_J1
/ip firewall filter add action=add-src-to-address-list address-list=SOPORTE_REMOTO address-list-timeout=8h chain=port_knock dst-address-type=local dst-port=777 protocol=tcp src-address-list=PORT_KNOCK_J2
/ip firewall filter add action=jump chain=input comment="Port knocking para SOPORTE_REMOTO - Secuencia 666, 888, 777" connection-state=new dst-address-type=local dst-port=666,888,777 jump-target=port_knock protocol=tcp place-before=1

Testear desde Linux/Mac:

nc -vvv ip_del_router 666
nc -vvv ip_del_router 888
nc -vvv ip_del_router 777

desde Windows:

telnet -vvv ip_del_router 666
telnet -vvv ip_del_router 888
telnet -vvv ip_del_router 777

En IP -> Firewall -> Address List debe haber una entrada SOPORTE_REMOTO con la dirección IP desde donde ejecutamos nc, o bien, la IP de un router intermedio que está haciendo MASQUERADE (por el amor de Perkele mas vale que tenga un puerto fijado en la regla de NAT). Gracias a Diego Shulz por este tutorial.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment