Shell script to setup a port knocking set of rules on SSH port.

stateful_iptables_port_knocking.sh

#!/bin/bash
# ##########################################################
# stateful_iptables_port_knocking.sh
# Shell script to setup a port knocking 
# set of rules on SSH port.
# Wesley Rodrigues da Silva <wesley.it at gmail.com>
# LICENCE CREATIVE COMMONS BY - 2014
# http://creativecommons.org/licenses/by/2.0/legalcode
# ########################################################

## Clean all rules and chains 
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT


# Allow local traffic
iptables -t filter -A INPUT -d 127.0.0.1 -j ACCEPT
iptables -t filter -A OUTPUT -d 127.0.0.1 -j ACCEPT

# Allow returning packets (established connections)
iptables -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

## Using the module "recent", create a new key on tcp/1986
iptables -A INPUT -p tcp --dport 1986 -m recent --set --name SSH_PERMIT

## Grant access only if the key has ben "touched"in the last 30 seconds
iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 --name SSH_PERMIT -j ACCEPT

## Reject all other connections in SSH port
iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset