I'd like to migrate my old pure iptables firewall configuration to a shorewall setup. I get the basics, but I haven't been able to replicate my existing knockd setup:
- I have a 'tmpknock' chain that opens some ports, e.g. port 22, for 30 seconds (multiple IPs allowed at the same time in the tmpknock chain, if multiple people try to log in simultaneously!).
- I have a 'permknock' chain that opens some ports (e.g. 80) forever, but only to one IP at a time (which gets replaced, when the next one tries to knock from a different IP - this allows me to test some services which are not currently open to the public)
The setup in /etc/knockd.conf is simple:
[tmpAndPermKnock]
sequence = 10000,11000,12000
seq_timeout = 9
tcpflags = syn
start_command = /sbin/iptables -I tmpknock -s %IP% -j ACCEPT;
/sbin/iptables -F permknock;
/sbin/iptables -I permknock -s %IP% -j ACCEPT
cmd_timeout = 30
stop_command = /sbin/iptables -D tmpknock -s %IP% -j ACCEPT
Now I can easily link from my existing chains to these chains, e.g.:
iptables -A open-in -p tcp --dport 22 -j tmpknock
iptables -A open-in -p tcp --dport 80 -j permknock
How can I integrate this with a simple shorewall setup? I'm really just starting out with shorewall, and don't know how to perform the jump to my chains. I imagine, it would be something like this:
/etc/shorewall/rules (does not work):
#ACTION SOURCE DEST PROTO DEST
JUMP(tmpknock) net fw tcp 22
JUMP(permknock) net fw tcp 80
... but there's no JUMP action in http://shorewall.net/manpages/shorewall-rules.html ...
There doesn't seem to be a nice solution to this (boo Shorewall) :-/ There seem to be two options:
startextension script (which is run after Shorewall has setup all its rules) to insert a jump rule to the knock chains in the INPUT chain.