ipt_pkd ipt_pkd is an iptables extension implementing port knock detection.
Download

ipt_pkd Ranking & Summary

ipt_pkd Tags

firewall iptables port firewall rules iptables extension port knock detection

ipt_pkd Description

ipt_pkd is an iptables extension implementing port knock detection. ipt_pkd is an iptables extension implementing port knock detection. ipt_pkd provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a timestamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent.Some examples:Protecting ssh (port 22).iptables -A INPUT -p udp -m pkd --key test -m recent --set --name PKDiptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --rcheck --name PKD --seconds 60 --hitcount 1 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROPThese rules will drop any new ssh connection attempts unless a valid knock packet was seen for the incoming client ip in the last 60 seconds. You can use hitcount to control how many times you have to knock, though in the above rules you'd also need to change the --set to --update otherwise the hitcount wouldn't go over 1. You could also use it to control how long a session could be by adding a drop on all packets to --dport 22 and setting --seconds to be how long you wanted a session to last.iptables -A INPUT -p udp -m pkd --key 0xAA0693aB -m recent --set --name PKDiptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --rcheck --name PKD --seconds 60 --hitcount 1 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -m recent --name PKD --rcheck --seconds 600 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j DROPlibipt_pkd.c -- iptables user space portion, becomes libipt_pkd.so pkd.c -- iptables kernel portion, becomes ipt_pkd.koknock.c -- client knock program becomes knockknock.py -- client knock in pythonipt_pkd.h -- common headerknock (c version) gets the host from the command line and asks for a password knock.py (python version) reads its information out of an ini file (default ~/.ipt_pkd.ini) and example ini file is included in the distribution.To build you need your kernel headers for the kernel module, iptables-dev for the iptables user space portion, and libssl-dev for knock as it uses the sha256 library from openssl. Then just make; make install. For the make install you need to run as root. libipt_pkd.so get installed in /lib/iptables, so if your iptables modules are in a different directory you'll need to move it.The kernel module uses the kernel installer so who knows where it puts it. Also sometimes you have to manually run depmod -a afterward, if you see an error like, iptables: No chain/target/match by that name, then most likely depmod -a will fix it. On my system its been putting the module in /lib/modules//extra. knock doesn't get put anywhere so put it whereever. I'm guessing if packaged it'll end up in /usr/bin or /usr/local/bin.You might need to set the IPT_VERS in the Makefile manually. It tries to get it by running /sbin/iptables -V, which can fail if its in a different location on your system. I also don't know which iptables its compatible with. I tested it with 1.3.6 and 1.3.8 and it seemed to be fine with those versions.Machines tested on:VMWare client 32 bit running Ubuntu Fiesty 2.6.20-16 kernel and iptables 1.3.6x86 32bit running Debian unstable 2.6.22-686 kernel and iptables 1.3.8x86_64 64bit running Sidux unstable 2.6.23 (vanilla) kernel and iptables 1.3.8Sparc 64bit running Debian unstable 2.6.22-2-sparc64 kernel and iptables 1.3.8 What's New in This Release: · initial support for libxtables, just enough to get by and work · added port option in config so you can use this in conjunction with a firewall without having to have tons of open udp ports · added support for 2.6.29 kernels · added support for iptables 1.4.3.2

ipt_pkd Related Software