knockd其实就是通过连接Linux的特定端口组合，来控制服务器的iptables防火墙策略，从而实现可控的准入与准出

环境 Debian GNU/Linux 8

1.安装knockd

aptitude -y install knockd

2. root@debian:~# dpkg -L knockd

/.

/etc

/etc/default

/etc/default/knockd

/etc/init.d

/etc/init.d/knockd

/etc/knockd.conf

/usr

/usr/bin

/usr/bin/knock

/usr/sbin

/usr/sbin/knockd

/usr/share

/usr/share/doc

/usr/share/doc/knockd

/usr/share/doc/knockd/README.Debian

/usr/share/doc/knockd/TODO

/usr/share/doc/knockd/README

/usr/share/doc/knockd/changelog.gz

/usr/share/doc/knockd/changelog.Debian.gz

/usr/share/doc/knockd/copyright

/usr/share/man

/usr/share/man/man1

/usr/share/man/man1/knock.1.gz

/usr/share/man/man1/knockd.1.gz

3. 修改/etc/default/knockd

启用knockd

START_KNOCKD=1

监听网卡

KNOCKD_OPTS="-i eth0"

4.修改/etc/knockd.conf，添加ssh 入站和出站的防火墙策略

[options]

logfile = /var/log/knockd.log

[openSSH]

sequence = 7000,8000,9000

seq_timeout = 5

command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

tcpflags = syn

[closeSSH]

sequence = 9000,8000,7000

seq_timeout = 5

command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

tcpflags = syn

5.修改iptables的INPUT默认策略为DROP

iptables -P INPUT DROP

6.启动knockd

service knockd start

7. 下载客户端工具

http://www.zeroflux.org/proj/knock/files/knock-win32.zip

8. 运行客户端工具

C:\Users\wuwei\Downloads\knock-win32\knock-win32-port\Release

knock.exe 192.168.88.120 7000 8000 9000

使用工具连接ssh服务器的已经定义的3个端口，服务器会自动添加防火墙策略，允许特定IP的ssh请求进入

9.ssh连接服务器

10.查看iptables

root@debian:~# iptables -L

Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT tcp -- 192.168.88.109 anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

11.断开ssh连接

12.运行客户端工具

C:\Users\wuwei\Downloads\knock-win32\knock-win32-port\Release

knock.exe 192.168.88.120 9000 8000 7000

使用工具连接ssh服务器的已经定义的3个端口，服务器会自动删除防火墙策略，ssh请求被丢弃

13.查看iptables

image

已经看不到允许ssh入站的请求，而且默认策略是DROP

14.尝试ssh连接

C:\Users\wuwei\Downloads\knock-win32\knock-win32-port\Release

λ ssh root@192.168.88.120

ssh: connect to host 192.168.88.120 port 22: Connection timed out