Hi!
I have a mAP Lite router. Nice little thing! I want it to automagically connect to my (Mikrotik!! ) router and establish a VPN tunnel after booting the mAP Lite. But I want to conduct a port knocking sequence to first open up firewall rules for VPN connection before setting up the VPN tunnel.
Is it possible by scripting in routerOS to make a port knock sequence?
/SA0BJW
Re: Portknocking by script.
On the router side, you make a set of rules that add matching SRC address to a list:
e.g.:
chain=input protocol=tcp dst-port=9999 action=add-src-to-address-list list=phase1 timeout=2sec
chain=input protocol=tcp dst-port=12345 src-address-list=phase1 action=add-src-to-address-list list=phase2 timeout=2sec
etc...
where the last one adds the src to the list with a longer timeout period, like 5 minutes or something, during which the successful src IP may create new connections to the router.
I have an accept all established,related rule which will keep the connections open even after the knock expires. If I need to open a new connection after that, I must knock again.
As for the mikrotik being the source - I'm not sure if you can generate arbitrary packets on arbitrary ports with ROS (but I could be wrong - it has quite a nice tool set)
e.g.:
chain=input protocol=tcp dst-port=9999 action=add-src-to-address-list list=phase1 timeout=2sec
chain=input protocol=tcp dst-port=12345 src-address-list=phase1 action=add-src-to-address-list list=phase2 timeout=2sec
etc...
where the last one adds the src to the list with a longer timeout period, like 5 minutes or something, during which the successful src IP may create new connections to the router.
I have an accept all established,related rule which will keep the connections open even after the knock expires. If I need to open a new connection after that, I must knock again.
As for the mikrotik being the source - I'm not sure if you can generate arbitrary packets on arbitrary ports with ROS (but I could be wrong - it has quite a nice tool set)
Re: Portknocking by script.
Thanks for your answer.
I have already the portknocking up´n running on the receiving router, it works nicely! Would be very nice if the router could act as a client as well!
/SA0BJW
I have already the portknocking up´n running on the receiving router, it works nicely! Would be very nice if the router could act as a client as well!
/SA0BJW
Re: Portknocking by script.
Hmmm... This is interesting. I have a perl script to do the knock from unix...
I'm curious if you could use the fetch....
What I'm thinking is use fetch to fetch something on a random port... use layer 7 to analyze the address and match it to a secret key....
e.g. fetch http://:/somedata .... then fetch http://:/somedata2 ... use the port knocking via layer 7 rules....
I think it would work.... It's the only way I know of to have the mikrotik generate the knock....
On the script side... would be something like....
I'm curious if you could use the fetch....
What I'm thinking is use fetch to fetch something on a random port... use layer 7 to analyze the address and match it to a secret key....
e.g. fetch http://
I think it would work.... It's the only way I know of to have the mikrotik generate the knock....
Code:Select all
/ip firewall layer7-protocol add name=knock1 regexp="(GET \\/SOMERANDOMSTRING)" add name=knock2 regexp="(GET \\/ANOTHERRANDOMSTRING)" add action=add-src-to-address-list address-list=KnockStage1 address-list-timeout=2m chain=input comment="PortKnock #1" dst-port=9119 in-interface=ether01-gateway layer7-protocol=knock1 protocol=tcp add action=add-src-to-address-list address-list=KnockStage2 address-list-timeout=2m chain=input comment="PortKnock #2" dst-port=9229 in-interface=ether01-gateway layer7-protocol=knock2 protocol=tcp src-address-list=KnockStage1 add action=accept chain=input comment="PortKnock Allow" in-interface=ether01-gateway src-address-list=KnockStage2On the script side... would be something like....
Code:Select all
/tool fetch host= src-path=SOMERANDOMSTRING mode=http port=9119 keep-result=no /tool fetch host= src-path=ANOTHERRANDOMSTRING mode=http port=9229 keep-result=no 
Re: Portknocking by script.
This will leave send errors in yoour logs, but will work for a port knocker.
Code:Select all
/tool e-mail send server=ddns-or-ipaadress port=xxxx to=knock /tool e-mail send server=ddns-or-ipaadress port=yyyy to=knock /tool e-mail send server=ddns-or-ipaadress port=zzzz to=knockRe: Portknocking by script.
Thank you 2frogs for your answer. Have tested it and it works fine! Im sure the script efaden posted also works, shall try it out later.
Thanks!!!
Thanks!!!
Re: Portknocking by script.
Code:Select all/tool fetch host=src-path=SOMERANDOMSTRING mode=http port=9119 keep-result=no /tool fetch host= src-path=ANOTHERRANDOMSTRING mode=http port=9229 keep-result=no
This is a good idea to trigger the dst device of your port-knocking, however be sure to do it like this:
:do {/tool fetch host=
:do {/tool fetch host=
For some un-explained reason rOS scripts just die/halt (with no logged error nor any indication) if any line/command fails or produces an error. seeing as both of these fetch commands will error out (ie run one from the command line direct = "status:failed"), the script will only execute the first line, but not the 2nd (nor anything beyond where the "failed" occurs).
Thus you wont get your port knocking effect since only the first line runs. (and will prob waste alot of time thinking something is wrong with your FW rules or your script).
(this is assuming you are not running HTTPd server on all the ports you are knocking, which no one is running ofcourse. so as expected /tool fetch mode=http produces "failed" as it cant connect to a valid http server. The un-expected part is that this will kill you script, thus add the :do ... on-error ).
Re: Portknocking by script.
You could use a variation on port knocking but using icmp and various packet sizes.
Then the client can use the ping command with size set to execute the knock
Hope that helps
Nick
Then the client can use the ping command with size set to execute the knock
Hope that helps
Nick
Re: Portknocking by script.
Ooh, I like that. ICMP packet sizes are also pretty obscure to someone sniffing the wire.You could use a variation on port knocking but using icmp and various packet sizes.
Then the client can use the ping command with size set to execute the knock
Hope that helps
Nick
Re: Portknocking by script.
Allow trusted DDNS on VPN server.
Script the mAP to update a DDNS record on boot up and then establish the VPN connection. No need to knock on your own door unless you like secret handshakes.
You can also make a script in the mAP that updates the DDNS to a non public IP when your done using it in case your paranoid.
Script the mAP to update a DDNS record on boot up and then establish the VPN connection. No need to knock on your own door unless you like secret handshakes.
You can also make a script in the mAP that updates the DDNS to a non public IP when your done using it in case your paranoid.
-
-
SimonThomasen
newbie
- Posts: 32
- Joined:
Re: Portknocking by script.
Untested, but i have tested the pinging, that works.
发送和接收端口敲门2基于ICMPpackets.
Stage 2 must follow within 10 seconds of stage 1:
Sending 2 ICMP packets of specific sizes:
ping 11.11.11.11 count=1 interval=1 size=2101
:delay 1
ping 11.11.11.11 count=1 interval=1 size=1202
Receiving them:
/ip firewall filter add action=add-src-to-address-list address-list=knock1 address-list-timeout=00:00:10 chain=input comment="Port knocking, stage 1" protocol=icmp size=2101
/ip firewall filter add action=add-src-to-address-list src-address-list=knock1 address-list=knock2 chain=input comment="Port knocking, stage 2" protocol=icmp size=1202
发送和接收端口敲门2基于ICMPpackets.
Stage 2 must follow within 10 seconds of stage 1:
Sending 2 ICMP packets of specific sizes:
ping 11.11.11.11 count=1 interval=1 size=2101
:delay 1
ping 11.11.11.11 count=1 interval=1 size=1202
Receiving them:
/ip firewall filter add action=add-src-to-address-list address-list=knock1 address-list-timeout=00:00:10 chain=input comment="Port knocking, stage 1" protocol=icmp size=2101
/ip firewall filter add action=add-src-to-address-list src-address-list=knock1 address-list=knock2 chain=input comment="Port knocking, stage 2" protocol=icmp size=1202
Who is online
Users browsing this forum:Ahrefs [Bot]and 8 guests