UFW and port knocking

Hi All,

This is how to setup basic port knocking for your home network.
At home I run several services that I want to get access to from the internet, but I don't always want these services open. Port knocking provides an interesting way of achieving both.

Basically how it works is that the knock daemon watches the firewall logs for connection attempts on specified ports. If it picks up a certain combination, the knock daemon can open another port for access through the firewall by adding rules.

Here's how I did it on Ubuntu 10.04.

First install the knock daemon:

sudo apt-get install knockd

Now setup UFW. UFW is basically a simpler way of configuring iptables.
First lets setup a rule to allow ssh before we turn the firewall on. Do these in order:

sudo ufw allow ssh/tcp
sudo ufw enable

Check the status by typing this:

sudo ufw status

All other ports, apart from ssh are closed. Now we need to configure the knock daemon.
Crack open the config file. I want to open port 80 so I can get to Mythtv. Add a label and some config.

[WEB]
     sequence    = 8111,8555,8777
     seq_timeout = 5
     start_command = ufw allow from %IP% to any port 80
     tcpflags    = syn
     cmd_timeout   = 3600
     stop_command  = ufw delete allow from %IP% to any port 80

Ok, so the knock sequence is 8111, 8555, 8777 in that order (although think about how port scanners work, choose some more random ports). That will then run start_command and open port 80. It'll close itself after an hour.

Once you have configured that start the daemon.

sudo service knockd start

Now for your router. Port forward port 80 and 8000-9000 to your server and thats it, job done.

For the client, to access your new rule, type this:

knock -v [external ip of your router] port1 port2 port3

Now access your website.

Thanks for reading,

Trev