FYI IPTables & Port Knocking

[gordon]

So I am having trouble getting port knocking to work.

I've installed IncrediblePBX on Ubuntu 14.04 using http://nerdvittles.com/?p=9713

My problem is that port knocking only seems to work for whitelisted IP addresses out of the box (which defeats the purpose).

Tailing the kockd.log file only outputs anything using nmap from one of the IPs manually whitelisted like

-A INPUT -s 123.123.123.123 -j ACCEPT

Reading the post http://nerdvittles.com/?p=9871 and it says "These ports need not be opened in your IPtables firewall configuration! We’re just knocking, not entering." So what am I doing wrong?

 

[gordon]

I've also verified I am testing from IPs allowed to pass through the hardware firewall and toggled the iptables whitelist for these IPs

 

[tycho]

I recently installed incredible PBX 12 on an Ubuntu 14 instance on my new CloudAtCost server. I experimented with port knocking, installing the DroidKnocker app on my Moto X smartphone. I switched off wifi on the phone and switched on 4G LTE, thereby obtaining a completely different IP address from my home IP range. I activated DroidKnocker, and then check the port knocker log on the PBX. The log reflected the knocks, and it showed that the foreign 4G LTE IP address had been added. I checked again later, and the address expired, as expected, after an hour. So , from what I can tell, it is working as advertised.

 

[gordon]

I installed IncrediblePBX from

http://incrediblepbx.com/incrediblepbx11.4.ubuntu14.tar.gz

. And then used the update script. Good to know it is working for you. Trying to figure out what is going on with mine

 

[tycho]

gordon, I installed per the 'Midnight Madness" Nerdvittles post here:

http://nerdvittles.com/?p=11041

And this is the source of my installation:

wget http://incrediblepbx.com/incrediblepbx12.tar.gz

Although we are both running on Ubuntu 14.04, we are running different version of IncrediblePBX. Mine is newer; maybe the PortKnocker implementation has been updated...

 

[gordon]

tycho
Thanks that was helpful. I did not realize the latest version was 12 instead of 11.4. I will create a new instance and see if that fixes my issues.

Also, I read up on virtualization approaches because I am given the choice between paravirtual and hvm. I rebuilt the previous image as paravirtual and got responses back from nmap when attempting to knock. But it still wasn't granting me access.

 

[gordon]

Hrm... still no luck.

With the following in rules.v4 I can port knock and see a log entry when tailing /var/log/knockd.log

-A INPUT -s 123.123.123.123 -j ACCEPT

If I change it to

#-A INPUT -s 123.123.123.123 -j ACCEPT

and run "sudo iptables-restart", I get a "host seems down" from nmap and see no log output for the knock.

 

[wardmundy]

gordon Is your server behind a hardware-based firewall?? If so, you must forward the three knock ports from the firewall to your server's private IP address.

 

[gordon]

gordon Is your server behind a hardware-based firewall?? If so, you must forward the three knock ports from the firewall to your server's private IP address.

Thanks for the reply. The server is behind a hardware based firewall, but I've whitelisted all traffic from my IP until I get everything running as expected. Since the knocks are received when I disable IPTables, I think my hardware-based firewall is allowing the knocks to pass in both cases.

 

[wardmundy]

That shouldn't work if you're not forwarding the ports unless your server is in DMZ. What type firewall?

 

[gordon]

I guess it would be analogous to DMZ. Amazon EC2 Security Group. I guess it isn't technically a hardware based firewall.

 

[gordon]

It is set to allow all tcp/udp/icmp traffic from my IP address

 

[wardmundy]

To put it charitably, Amazon is different. They're probably blocking the port knocks. Do yourself and your wallet a favor. Find another provider.

 

[gordon]

wardmundy

Is IncrediblePBX's port knocking implementation known to work with VMs? I just followed the instructions from http://nerdvittles.com/?p=11041 on DigitalOcean and am experiencing the same issues as I encountered on Amazon's EC2 instances.

 

[tycho]

gordon:

Well, it works on my VM on CloudAtCost...

I actually never toyed with port knocking on my previous DigOcean droplet. If have time I will fire that one back up from the saved state that I probably still have on D.O. and check. However, I created it some time ago, and I don't now recall if it is a version that incorporates port knocker...

 

[gordon]

wardmundy

So I just tried this on DigitalOcean with CentOS 6.5 and IncrediblePBX 11.4 from http://nerdvittles.com/?p=10079 and I observed the same behavior.

I know this is used by lots of people, but I do not think this is something I am doing at this point. Can anyone confirm with either CentOS 6.5 or Ubuntu 14.04 and IncrediblePBX 11.4 or Ubuntu 14.04 and IncrediblePBX 12 that port knocking from an ip that is not already whitelisted with iptables works correctly when deployed on DigitalOcean or Amazon EC2 (or another virtualized cloud provider)?

Here is nmap output from a ip that is already whitelisted in iptables:

COMPUTER #1 WITH WHITELISTED IP
 
$ nmap -p 1234 foo.bar.com
 
Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-12 18:44 EST
Nmap scan report for foo.bar.com (123.123.123.123)
Host is up (0.040s latency).
PORT    STATE  SERVICE
1234/tcp closed unknown

Here is nmap output that fails:

COMPUTER #2 NO IPTABLES ENTRY
 
 
 
$nmap -p 1234 foo.bar.com
 
 
 
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-12 15:44 Pacific Standard Time
 
 
 
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
 
 
 
Nmap done: 1 IP address (0 hosts up) scanned in 5.75 seconds

 

[gordon]

This shows port knocking using iptables only on DO https://www.digitalocean.com/commun...knocking-using-only-iptables-on-an-ubuntu-vps

This shows port knocking using knockd https://www.digitalocean.com/commun...hide-your-ssh-daemon-from-attackers-on-ubuntu

So not sure what is going on with my instances. It obviously should be working since there is a DO post about it

 

[gordon]

Well, I've got no idea what is going on... but I changed the knock sequence to expect udp instead of tcp and it works with CentOS 6.5 (didn't try Ubuntu because I trashed the image). If I change it back to tcp, it doesn't work. Neither nmap nor the knock client works with tcp ports. But I can get it to respond to udp ports consistently from the knock client so that is something anyways.

 

[wardmundy]

gordon: Great discovery. We'll have a look as well. Thanks for your work on this!

 

[tycho]

Interesting. Using Ubuntu and I-PBX 12 on my CloudAtCost instance, and DroidKnocker on my Moto X, my experience was exactly the opposite. I had been tinkering with DroidKnocker and was given the option of knocking using either TCP or UDP. I couldn't recall which I was supposed to use, so I tried both. TCP worked; UDP did not work.