iptables 最近需要一个有时间限制的 --set 选项,否则我还能如何解决这个问题?
iptables recent needs a time-limited --set option, or how else can I solve this?
对于端口敲门方案,我想知道如何使 iptables 最近模块临时(仅几秒钟)列表名称匹配的源地址。我的直觉告诉我,我需要最近模块的 --set 函数来接受 --seconds 选项,使列表分配成为临时的,但我所能看到的是将列表名称永久分配给一个地址并拥有另一个规则删除列表名称分配 仅在收到一些稍后的数据包时 。不符合我的心理概念的原因是因为从列表中删除(--reap 或--remove,我想)地址 只会在收到未来数据包时发生 ,而我的直觉希望地址在特定时间到期时被删除,而不管是否有任何数据包到达以触发所述名称删除。我能看到做与此模糊相似的事情的唯一方法对我来说非常不直观,因此我怀疑我遗漏了一些关于它如何工作的东西:我需要一个最近的模块规则和 --rcheck 选项为了确保列出的数据包的名称匹配并且它已在之前的 x 秒内分配并使用跳转目的地将其删除,该跳转目的地中的规则是将下一个列表名称分配给源地址。与此同时,列表的长度一直在增长(不是吗?),填满了从未完成敲击序列[s]的杂散源地址。对于最近的模块来说,接受带有 --set 的 --seconds 选项将是一个多么简单的解决方案!谁能帮助我更清楚地了解这一点?
( 我看过其他使用 iptables 的敲门解决方案,但它们仅限于仅使用每个端口协议组合进行序列中的一次敲门,而恕我直言,一个好的敲门解决方案应该允许相同的端口-协议组合在敲击序列中使用的次数与用户希望使用的次数一样多。knockd 有同样的限制,并且表现出可怕的非稳健操作。我试图获得 iptables 的 pknock 模块,但它似乎并非其所有组件都存在[特别是文档中提到的两个 shell 脚本,knock.sh 和 knock-orig.sh,据说 "found in doc/pknock/util",无论它在哪里......当然不是 SF,Github,也不是我能看到的任何其他地方],让我非常怀疑使用它。)
编辑:我看到规则集需要比描述的更复杂——第二个敲击步骤首先需要按名称匹配数据包,然后将其跳转到自己的链,删除name,确定正确的时间和端口协议是否匹配,然后将其跳转到另一个链以重命名它,或者如果时间或敲门关闭则不跳它属于丢弃规则。哇
我的初步解决方案如下所示。本例中的敲击恰好是唯一的,但非唯一的敲击也能正常工作。如您所见,我让每个敲门数据包都获取每个列表,因为我不知道列表是否会自我限制它们保留条目的时间长度。这似乎是确保列表不会太长的唯一方法。
$--> iptables -wnvL
Chain INPUT (policy DROP)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- $internal_net_interface * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate RELATED,ESTABLISHED /* extract ssh for knock testg frm private side in ssh */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: authorized side: source mask: 255.255.255.255 ctstate NEW /* 1-packet pass: 1 chance to establish or then knock higher */
0 0 knockerstest all -- $internal_net_interface * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 200 name: knocker side: source mask: 255.255.255.255 /* for knock capability */
0 0 knockstage1 tcp -- $internal_net_interface * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1 flags:0x17/0x02 recent: SET name: knocker side: source mask: 255.255.255.255 /* for knock capability, 1st port */
0 0 knockers all -- $external_net_interface * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 200 name: knocker side: source mask: 255.255.255.255 ctstate NEW /* for port knock capability */
0 0 knockstage1 tcp -- $external_net_interface * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:1 flags:0x17/0x02 recent: SET name: knocker side: source mask: 255.255.255.255 /* for port knock capability, 1st port */
Chain knockerreap (10 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 reap name: knocker side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage1 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage2 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage3 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage4 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage5 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage6 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage7 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage8 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage1 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage2 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage3 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage4 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage5 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage6 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage7 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage8 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage1 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage2 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage3 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage4 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage5 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage6 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage7 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage8 side: source mask: 255.255.255.255
Chain knockers (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0 ! ctstate NEW /* for port knock capability */
0 0 knockersort all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* for port knock capability */
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "pktfail:knock|late|ctstate "
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 reap name: knocker side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knocker side: source mask: 255.255.255.255
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockersort (2 references)
pkts bytes target prot opt in out source destination
0 0 knockstage2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage2 side: source mask: 255.255.255.255 /* knock to stage 2 successful */
0 0 knockstage3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage3 side: source mask: 255.255.255.255 /* knock to stage 3 successful */
0 0 knockstage4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage4 side: source mask: 255.255.255.255 /* knock to stage 4 successful */
0 0 knockstage5 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage5 side: source mask: 255.255.255.255 /* knock to stage 5 successful */
0 0 knockstage6 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage6 side: source mask: 255.255.255.255 /* knock to stage 6 successful */
0 0 knockstage7 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage7 side: source mask: 255.255.255.255 /* knock to stage 7 successful */
Chain knockerstest (1 references)
pkts bytes target prot opt in out source destination
0 0 knockersort all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "knockertest fail "
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 reap name: knocker side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knocker side: source mask: 255.255.255.255
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage1 (2 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage2 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage1 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage2 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage3 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage2 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage3 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage4 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage3 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage4 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage5 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage4 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage5 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage6 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage5 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage6 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage7 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage6 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage7 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: authorized side: source mask: 255.255.255.255 /* allows time-limited access */ LOG flags 0 level 4 prefix "knock full success "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
对于端口敲门方案,我想知道如何使 iptables 最近模块临时(仅几秒钟)列表名称匹配的源地址。我的直觉告诉我,我需要最近模块的 --set 函数来接受 --seconds 选项,使列表分配成为临时的,但我所能看到的是将列表名称永久分配给一个地址并拥有另一个规则删除列表名称分配 仅在收到一些稍后的数据包时 。不符合我的心理概念的原因是因为从列表中删除(--reap 或--remove,我想)地址 只会在收到未来数据包时发生 ,而我的直觉希望地址在特定时间到期时被删除,而不管是否有任何数据包到达以触发所述名称删除。我能看到做与此模糊相似的事情的唯一方法对我来说非常不直观,因此我怀疑我遗漏了一些关于它如何工作的东西:我需要一个最近的模块规则和 --rcheck 选项为了确保列出的数据包的名称匹配并且它已在之前的 x 秒内分配并使用跳转目的地将其删除,该跳转目的地中的规则是将下一个列表名称分配给源地址。与此同时,列表的长度一直在增长(不是吗?),填满了从未完成敲击序列[s]的杂散源地址。对于最近的模块来说,接受带有 --set 的 --seconds 选项将是一个多么简单的解决方案!谁能帮助我更清楚地了解这一点?
( 我看过其他使用 iptables 的敲门解决方案,但它们仅限于仅使用每个端口协议组合进行序列中的一次敲门,而恕我直言,一个好的敲门解决方案应该允许相同的端口-协议组合在敲击序列中使用的次数与用户希望使用的次数一样多。knockd 有同样的限制,并且表现出可怕的非稳健操作。我试图获得 iptables 的 pknock 模块,但它似乎并非其所有组件都存在[特别是文档中提到的两个 shell 脚本,knock.sh 和 knock-orig.sh,据说 "found in doc/pknock/util",无论它在哪里......当然不是 SF,Github,也不是我能看到的任何其他地方],让我非常怀疑使用它。)
编辑:我看到规则集需要比描述的更复杂——第二个敲击步骤首先需要按名称匹配数据包,然后将其跳转到自己的链,删除name,确定正确的时间和端口协议是否匹配,然后将其跳转到另一个链以重命名它,或者如果时间或敲门关闭则不跳它属于丢弃规则。哇
我的初步解决方案如下所示。本例中的敲击恰好是唯一的,但非唯一的敲击也能正常工作。如您所见,我让每个敲门数据包都获取每个列表,因为我不知道列表是否会自我限制它们保留条目的时间长度。这似乎是确保列表不会太长的唯一方法。
$--> iptables -wnvL
Chain INPUT (policy DROP)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- $internal_net_interface * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate RELATED,ESTABLISHED /* extract ssh for knock testg frm private side in ssh */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: authorized side: source mask: 255.255.255.255 ctstate NEW /* 1-packet pass: 1 chance to establish or then knock higher */
0 0 knockerstest all -- $internal_net_interface * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 200 name: knocker side: source mask: 255.255.255.255 /* for knock capability */
0 0 knockstage1 tcp -- $internal_net_interface * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1 flags:0x17/0x02 recent: SET name: knocker side: source mask: 255.255.255.255 /* for knock capability, 1st port */
0 0 knockers all -- $external_net_interface * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 200 name: knocker side: source mask: 255.255.255.255 ctstate NEW /* for port knock capability */
0 0 knockstage1 tcp -- $external_net_interface * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:1 flags:0x17/0x02 recent: SET name: knocker side: source mask: 255.255.255.255 /* for port knock capability, 1st port */
Chain knockerreap (10 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 reap name: knocker side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage1 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage2 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage3 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage4 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage5 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage6 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage7 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage8 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage1 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage2 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage3 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage4 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage5 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage6 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage7 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 12 reap name: knockstage8 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage1 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage2 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage3 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage4 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage5 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage6 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage7 side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knockstage8 side: source mask: 255.255.255.255
Chain knockers (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0 ! ctstate NEW /* for port knock capability */
0 0 knockersort all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* for port knock capability */
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "pktfail:knock|late|ctstate "
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 reap name: knocker side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knocker side: source mask: 255.255.255.255
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockersort (2 references)
pkts bytes target prot opt in out source destination
0 0 knockstage2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage2 side: source mask: 255.255.255.255 /* knock to stage 2 successful */
0 0 knockstage3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage3 side: source mask: 255.255.255.255 /* knock to stage 3 successful */
0 0 knockstage4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage4 side: source mask: 255.255.255.255 /* knock to stage 4 successful */
0 0 knockstage5 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage5 side: source mask: 255.255.255.255 /* knock to stage 5 successful */
0 0 knockstage6 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage6 side: source mask: 255.255.255.255 /* knock to stage 6 successful */
0 0 knockstage7 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7 flags:0x17/0x02 recent: CHECK seconds: 12 name: knockstage7 side: source mask: 255.255.255.255 /* knock to stage 7 successful */
Chain knockerstest (1 references)
pkts bytes target prot opt in out source destination
0 0 knockersort all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "knockertest fail "
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 reap name: knocker side: source mask: 255.255.255.255
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: knocker side: source mask: 255.255.255.255
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage1 (2 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage2 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage1 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage2 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage3 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage2 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage3 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage4 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage3 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage4 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage5 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage4 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage5 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage6 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage5 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage6 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: knockstage7 side: source mask: 255.255.255.255 /* Entry in log makes blacklisting get delayed until after knocking time window expires */ LOG flags 0 level 4 prefix "knocked: Stage6 "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain knockstage7 (1 references)
pkts bytes target prot opt in out source destination
0 0 knockerreap all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: authorized side: source mask: 255.255.255.255 /* allows time-limited access */ LOG flags 0 level 4 prefix "knock full success "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0