I've been looking into using port knocking as a way to conceal/protect SSHD. I'm aware of knockd and other implementations, but I want something portable and simple. So I've decided iptables with the recent module is good enough.
I've already disabled password based login and require a public/private key. I just want it to appear like SSHD is not on the server, even to a port scanner.
I've seen many iptables rule examples, and I'm not quite clear how they're supposed to work.
What I want is to knock on a single obscure port to open port 22. At the same time I want to disable port knocking for a while if ports around it are accessed. So if my knocking port was 123, knocking on this port would open port 22 for 5 seconds for just the knocker. But if port 122 or 124 was knocked on it would disable port knocking for the knocker for 15 minutes (so even if they knocked on 123 nothing would happen in that time frame).
What iptables rules would achieve this?
Edit: I should add that I'm using CentOS 5.5. iptable modules can be used.
All these rules have
iptables -A INPUTin front of them.The one caveat is that I don't know if ipt_recent can track for 15 minutes.
Edit: try to make comments better and add missing "recent."
I can't see a way other than having a conntrack helper for netfilter written specifically for this purpose - you can't "script" dynamic iptables rulesets and will have to use the conntrack mechanisms. This obviously would not work with vanilla iptables but require a custom-compiled module.