iptables：將檢查與「最近」模組中的設定結合到 1 條規則中

Question

事實證明，我上面發布的那一行正是應該這樣寫:)我想我對iptables能夠處理這樣一個「複雜」規則的期望太悲觀了。

這是我的簡單連接埠碰撞配置的配置：

# set default policy for INPUT chain to DROP
iptables -P INPUT DROP

# accept all local traffic
iptables -A INPUT -i lo -j ACCEPT

# accept all the already-established connections
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m multiport --sports 25,80,443,465,587 -j ACCEPT

# add more of your own rules here...

# at the end, redirect all the packets into the KNOCKING chain
# this makes it easy to quickly enable/disable KNOCKING chain, if need be
iptables -A INPUT -j KNOCKING

# if the src ip is already authenticated, accept it
iptables -A KNOCKING -m recent --rcheck --seconds 60 --reap --name knockfinal -j ACCEPT

# if the packet is not authenticated and the first port knock is correct
# add the src ip into the 'knock1' list
iptables -A KNOCKING -p tcp -m tcp --dport 1111 -m recent --set --name knock1 -j DROP

# if the src ip is already in the 'knock1' list (with the expiry time of 10 seconds)
# and the 2nd port knock is correct, add the src ip to the 'knock2' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock1 -m tcp --dport 2222 -m recent --set --name knock2 -j DROP

# if the src ip is already in the 'knock2' list (with the expiry time of 10 seconds)
# and the 3rd port knock is correct, add the src ip to the 'knock3' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock2 -m tcp --dport 3333 -m recent --set --name knock3 -j DROP

# if the src ip is already in the 'knock3' list (with the expiry time of 10 seconds)
# and the 4th port knock is correct, add the src ip to the 'knockfinal' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock3 -m tcp --dport 4444 -m recent --set --name knockfinal -j DROP

# otherwise, we don't do anything and the default INPUT policy will drop the packet

我想這是迄今為止我見過的最短的 iptables 連接埠碰撞規則集...

Answer 1

事實證明，我上面發布的那一行正是應該這樣寫:)我想我對iptables能夠處理這樣一個「複雜」規則的期望太悲觀了。

這是我的簡單連接埠碰撞配置的配置：

# set default policy for INPUT chain to DROP
iptables -P INPUT DROP

# accept all local traffic
iptables -A INPUT -i lo -j ACCEPT

# accept all the already-established connections
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m multiport --sports 25,80,443,465,587 -j ACCEPT

# add more of your own rules here...

# at the end, redirect all the packets into the KNOCKING chain
# this makes it easy to quickly enable/disable KNOCKING chain, if need be
iptables -A INPUT -j KNOCKING

# if the src ip is already authenticated, accept it
iptables -A KNOCKING -m recent --rcheck --seconds 60 --reap --name knockfinal -j ACCEPT

# if the packet is not authenticated and the first port knock is correct
# add the src ip into the 'knock1' list
iptables -A KNOCKING -p tcp -m tcp --dport 1111 -m recent --set --name knock1 -j DROP

# if the src ip is already in the 'knock1' list (with the expiry time of 10 seconds)
# and the 2nd port knock is correct, add the src ip to the 'knock2' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock1 -m tcp --dport 2222 -m recent --set --name knock2 -j DROP

# if the src ip is already in the 'knock2' list (with the expiry time of 10 seconds)
# and the 3rd port knock is correct, add the src ip to the 'knock3' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock2 -m tcp --dport 3333 -m recent --set --name knock3 -j DROP

# if the src ip is already in the 'knock3' list (with the expiry time of 10 seconds)
# and the 4th port knock is correct, add the src ip to the 'knockfinal' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock3 -m tcp --dport 4444 -m recent --set --name knockfinal -j DROP

# otherwise, we don't do anything and the default INPUT policy will drop the packet

我想這是迄今為止我見過的最短的 iptables 連接埠碰撞規則集...

iptables：將檢查與「最近」模組中的設定結合到 1 條規則中

答案1

相關內容