I have a small home server setup which has its port forwarded to the internet router. Recently I inspected my sshd logfiles and found a way too much brute force attacks against my ssh daemon. I searched for a solution to protect against that and stumbled upon knockd.

This looked really neat, but I’m to lazy to configure an entire firewall just to open/close one port, beside I already have an firewall on my router. The second thing is I want to connect to my server without port knocking when I’m in my home network.

So here is my solution for that. Instead of opening and closing a port with knockd, I just enable and disable a local port forwarding via iptables.

/etc/knockd.conf
1
2
3
4
5
6
7
8
9
10
11
[options]
    UseSyslog
    Interface = enp2s0

[opencloseSSH]
    sequence      = 4443:tcp,4442:tcp,4444:tcp,4441:tcp,4445:tcp
    seq_timeout   = 15
    tcpflags      = syn
    start_command = /usr/sbin/iptables -t nat -A PREROUTING -s %IP% -p tcp --dport 4440 -j REDIRECT --to-port 22
    cmd_timeout   = 10
    stop_command  = /usr/sbin/iptables -t nat -D PREROUTING -s %IP% -p tcp --dport 4440 -j REDIRECT --to-port 22

As long as your default policy for the INPUT chain is ACCEPT this doesn’t even require an additional rules for RELATED,ESTABLISHED connections.

On the router you just need to forward the port range used for knocking and of cause port 22 (to 4440 on your home server) for SSH ;)

Hope this helps,
visit