blob: 94fc84071b503a547d2d6482c41387c68d16317b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
#!/bin/bash
set -e
RULESET="define guarded_ports = {ssh}
table inet portknock {
set clients_ipv4 {
type ipv4_addr
flags timeout
}
set candidates_ipv4 {
type ipv4_addr . inet_service
flags timeout
}
chain input {
type filter hook input priority -10; policy accept;
tcp dport 10001 add @candidates_ipv4 {ip saddr . 10002 timeout 1s}
tcp dport 10002 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10003 timeout 1s}
tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10004 timeout 1s}
tcp dport 10004 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 10005 timeout 1s}
tcp dport 10005 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr timeout 600s} log prefix \"Successful portknock: \"
tcp dport \$guarded_ports ip saddr @clients_ipv4 counter accept
tcp dport \$guarded_ports ct state established,related counter accept
tcp dport \$guarded_ports reject with tcp reset
}
}"
$NFT -f - <<< "$RULESET"
|
