Introduction

When setting up routers or firewalls and we open management ports on the internet, we allow only trusted, safe, IPs to access these ports. This is done simply by creating a “safe” access list, containing a list of the IPs retained as safe, and configure the firewall rules to accept connections on the port from the IPs listed in the safe list.

Sometimes you may need to connect to the ports but you may not be connected to any of the IPs in the safe list. In this scenario, the firewall would drop your requests and you would not b able to access the ports.

This is were port knocking comes in handy.

Port knocking is usually used to open ports on a firewall after connecting to a specified set of ports in a sequence. For example you can set-up the firewall to open TCP port 22 (SSH) if you first connect to port 100 and then within the next 10 seconds, you need to connect to port 99. This would open port 22 for a limited time and, if you want, allow connections from that IP only.

Configure

Since I am already using access lists to filter the IPs that are allowed to connect to the ports, I set-up port knocking to just add the source knocking IP address to the “safe” list.

Below I will show and explain the commands needed to configure port knocking on two ports. The filter rules below are applied on the input chain.

First we need to configure the first knocking port. IP addresses attempting to connect to this port, tcp 2014, will be placed in an intermediate address list named “knock” for 15 seconds.

/ip firewall filter

add action=add-src-to-address-list address-list=knock address-list-timeout=\
15s chain=input comment=”First Knocking Port” dst-port=2014 protocol=tcp

Another filter rule will check if the IPs attempting to connect to the second knocking port, tcp 1420, are in the “knock” address list. If they are, then the source IP is placed in the safe list for 15 minutes.

add action=add-src-to-address-list address-list=safe address-list-timeout=15m \
chain=input comment=”Second Knocking Port” dst-port=1420 protocol=tcp \
src-address-list=knock

Knocking

Now that knocking is configured on the firewall, you need to know how to knock on the ports.

There are applications like GregSowell.com PortKnock that allow you to do this. Greg’s application lets you knock on up to 4 udp/tcp ports.

Since I am listening on TCP ports, I normally open two command prompt windows and execute a telnet command in each which connect to different ports sequentially. Eg telnet <IP address> <knocking port>

You may also open two browser windows and attempt to connect to the ports typing the address and port in the address bar like this:

http://<ip address>:<knocking port>

The options are vast to knock a vast when listening on TCP ports.

For UDP you can use the PortQry Command Line Port Scanner Version 2.0 like in the example below for each port.

portqry.exe -n <ip address> -e <knocking port> -p UDP

Now that the IP is in the “safe” list, you can connect to the restricted ports Eg HTTPS or WinBox(for Mikrotik).

Final Note

As you may notice, the first knocking port is higher then the second port. This is to prevent port scanners from knocking on the port in sequence and eventually get the ip listed as safe. To add an additional layer of security you can configure a third port and make the sequence port 2,1,3.

I invite you to leave a comment if you found this information useful or would like to add more to the topic.

By Brian Farrugia

I am the author of Phy2Vir.com. More info can be found on the about page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.