wesleyit · September 26, 2014 20:21
diff --git a/stateful_iptables_port_knocking.sh b/stateful_iptables_port_knocking.sh
 #!/bin/bash
 # ##########################################################
 # stateful_iptables_port_knocking.sh
 # Shell script to setup a port knocking 
 # set of rules on SSH port.
 # Wesley Rodrigues da Silva <wesley.it at gmail.com>
 # LICENCE CREATIVE COMMONS BY - 2014
 # http://creativecommons.org/licenses/by/2.0/legalcode
 # ########################################################

 ## Clean all rules and chains 
 iptables -t filter -F
 iptables -t nat -F
 iptables -t mangle -F
 iptables -X
 iptables -Z
 iptables -t filter -P INPUT DROP
 iptables -t filter -P FORWARD DROP
 iptables -t filter -P OUTPUT ACCEPT


 # Allow local traffic
 iptables -t filter -A INPUT -d 127.0.0.1 -j ACCEPT
 iptables -t filter -A OUTPUT -d 127.0.0.1 -j ACCEPT

 # Allow returning packets (established connections)
 iptables -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -t filter -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -t filter -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 ## Using the module "recent", create a new key on tcp/1986
 iptables -A INPUT -p tcp --dport 1986 -m recent --set --name SSH_PERMIT

 ## Grant access only if the key has ben "touched"in the last 30 seconds
 iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 --name SSH_PERMIT -j ACCEPT

 ## Reject all other connections in SSH port
 iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset
	#!/bin/bash
	# ##########################################################
	# stateful_iptables_port_knocking.sh
	# Shell script to setup a port knocking
	# set of rules on SSH port.
	# Wesley Rodrigues da Silva <wesley.it at gmail.com>
	# LICENCE CREATIVE COMMONS BY - 2014
	# http://creativecommons.org/licenses/by/2.0/legalcode
	# ########################################################

	## Clean all rules and chains
	iptables -t filter -F
	iptables -t nat -F
	iptables -t mangle -F
	iptables -X
	iptables -Z
	iptables -t filter -P INPUT DROP
	iptables -t filter -P FORWARD DROP
	iptables -t filter -P OUTPUT ACCEPT


	# Allow local traffic
	iptables -t filter -A INPUT -d 127.0.0.1 -j ACCEPT
	iptables -t filter -A OUTPUT -d 127.0.0.1 -j ACCEPT

	# Allow returning packets (established connections)
	iptables -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -t filter -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -t filter -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

	## Using the module "recent", create a new key on tcp/1986
	iptables -A INPUT -p tcp --dport 1986 -m recent --set --name SSH_PERMIT

	## Grant access only if the key has ben "touched"in the last 30 seconds
	iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 --name SSH_PERMIT -j ACCEPT

	## Reject all other connections in SSH port
	iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset