{ "nftables": [ { "metainfo": { "version": "VERSION", "release_name": "RELEASE_NAME", "json_schema_version": 1 } }, { "table": { "family": "inet", "name": "portknock", "handle": 0 } }, { "chain": { "family": "inet", "table": "portknock", "name": "input", "handle": 0, "type": "filter", "hook": "input", "prio": -10, "policy": "accept" } }, { "set": { "family": "inet", "name": "clients_ipv4", "table": "portknock", "type": "ipv4_addr", "handle": 0, "size": 65535, "flags": [ "timeout", "dynamic" ] } }, { "set": { "family": "inet", "name": "candidates_ipv4", "table": "portknock", "type": [ "ipv4_addr", "inet_service" ], "handle": 0, "size": 65535, "flags": [ "timeout", "dynamic" ] } }, { "rule": { "family": "inet", "table": "portknock", "chain": "input", "handle": 0, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 10001 } }, { "set": { "op": "add", "elem": { "elem": { "val": { "concat": [ { "payload": { "protocol": "ip", "field": "saddr" } }, 10002 ] }, "timeout": 1 } }, "set": "@candidates_ipv4" } } ] } }, { "rule": { "family": "inet", "table": "portknock", "chain": "input", "handle": 0, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 10002 } }, { "match": { "op": "==", "left": { "concat": [ { "payload": { "protocol": "ip", "field": "saddr" } }, { "payload": { "protocol": "tcp", "field": "dport" } } ] }, "right": "@candidates_ipv4" } }, { "set": { "op": "add", "elem": { "elem": { "val": { "concat": [ { "payload": { "protocol": "ip", "field": "saddr" } }, 10003 ] }, "timeout": 1 } }, "set": "@candidates_ipv4" } } ] } }, { "rule": { "family": "inet", "table": "portknock", "chain": "input", "handle": 0, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 10003 } }, { "match": { "op": "==", "left": { "concat": [ { "payload": { "protocol": "ip", "field": "saddr" } }, { "payload": { "protocol": "tcp", "field": "dport" } } ] }, "right": "@candidates_ipv4" } }, { "set": { "op": "add", "elem": { "elem": { "val": { "concat": [ { "payload": { "protocol": "ip", "field": "saddr" } }, 10004 ] }, "timeout": 1 } }, "set": "@candidates_ipv4" } } ] } }, { "rule": { "family": "inet", "table": "portknock", "chain": "input", "handle": 0, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 10004 } }, { "match": { "op": "==", "left": { "concat": [ { "payload": { "protocol": "ip", "field": "saddr" } }, { "payload": { "protocol": "tcp", "field": "dport" } } ] }, "right": "@candidates_ipv4" } }, { "set": { "op": "add", "elem": { "elem": { "val": { "concat": [ { "payload": { "protocol": "ip", "field": "saddr" } }, 10005 ] }, "timeout": 1 } }, "set": "@candidates_ipv4" } } ] } }, { "rule": { "family": "inet", "table": "portknock", "chain": "input", "handle": 0, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 10005 } }, { "match": { "op": "==", "left": { "concat": [ { "payload": { "protocol": "ip", "field": "saddr" } }, { "payload": { "protocol": "tcp", "field": "dport" } } ] }, "right": "@candidates_ipv4" } }, { "set": { "op": "add", "elem": { "elem": { "val": { "payload": { "protocol": "ip", "field": "saddr" } }, "timeout": 600 } }, "set": "@clients_ipv4" } }, { "log": { "prefix": "Successful portknock: " } } ] } }, { "rule": { "family": "inet", "table": "portknock", "chain": "input", "handle": 0, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 22 } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "saddr" } }, "right": "@clients_ipv4" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "portknock", "chain": "input", "handle": 0, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 22 } }, { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": [ "established", "related" ] } }, { "counter": { "packets": 0, "bytes": 0 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "portknock", "chain": "input", "handle": 0, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 22 } }, { "reject": { "type": "tcp reset" } } ] } } ] }