Those who need to provide themselves, their beloved, access to their servers from anywhere in the world via SSH / RDP / otherwise - a small RTFM / spur.

We need to do without VPN and other bells and whistles, from any device at hand.

And so that the server does not exercise too much.

All you need is knockd , straight arms and 5 minutes of work.

"Everything is on the Internet", of course (even on Habré ), but when it comes to a specific implementation, it starts ...

We will practice with the example of Fedora / CentOS, but it doesn’t matter.

The spur will suit both beginners and the bison of this business, so there will be comments, but shorter.

1. Server

• put knock-server:
  
  yum/dnf install knock-server
  
  
  
  

  
  
  
  
  
  
  

• configure it (for example on ssh) - /etc/knockd.conf:

  
  
  
  
  
  
  

   [options] UseSyslog interface = enp1s0f0 [SSHopen] sequence = 33333,22222,11111 seq_timeout = 5 tcpflags = syn start_command = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 3600 stop_command = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT [SSHclose] sequence = 11111,22222,33333 seq_timeout = 5 tcpflags = syn command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        
        
  
          
          
          
        
  
      
          
          
          
        
        
  
          
          
          
        
  
      
       

  
  
  

  The "opening" part is set to auto-close after 1 hour. You never know ...

  
  
  
  
  
  
  

• / etc / sysconfig / iptables:

  
  
  
  
  
  
  

   ... -A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT ...
        
        
  
          
          
          
        
  
      
          
          
          
        
        
  
          
          
          
        
  
      
       

  
  
  

• forward:

  
  
  
  
  
  
  

   service iptables restart service knockd start
        
        
  
          
          
          
        
  
      
          
          
          
        
        
  
          
          
          
        
  
      
       

  
  
  

• You can add RDP to the virtual Windows Server spinning inside (/etc/knockd.conf; name the interface to your taste):

  
  
  
  
  
  
  

   [RDPopen] sequence = 44444,33333,22222 seq_timeout = 5 tcpflags = syn start_command = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2 cmd_timeout = 3600 stop_command = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2 [RDPclose] sequence = 22222,33333,44444 seq_timeout = 5 tcpflags = syn command = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
        
        
  
          
          
          
        
  
      
          
          
          
        
        
  
          
          
          
        
  
      
       

  
  
  

  All our kicks from the client are monitored on the server by the iptables -S
  
  
  
  command.

  
  
  
  
  
  
  

2. Rake Guide

knockd.conf:

Everything is in the mans too (but this is inaccurate), however knockd is a comrade rather stingy with messages, so you need to be very careful.

• version
  
  In Fedora / CentOS repositories, extreme knockd for today is 0.63. Who wants UDP - look for 0.70 packets.
• interface
  
  In the default configuration of Fedora / CentOS, this line is missing . Add by hand, otherwise it will not work.
• timeout
  
  Here to choose to taste. It is necessary for the client to have enough time for all the kicks - and the bot-scanner of the ports will break off (and 146% will scan it).
• start / stop / command.
  
  If the command is one - then command, if two - then start_command + stop_command.
  
  If you make a mistake, knockd will remain silent, but will not work.
• proto
  
  Theoretically, you can use UDP. In practice, I mixed tcp and udp, and a client from the beach in Bali was able to open a gate only from the fifth time. For TCP flew when necessary, and UDP is not a fact. But this is a matter of taste, again.
• sequence
  
  The implicit rake is that the sequences should not overlap ... how to say it ...

For example, this:

 open: 11111,22222,33333 close: 22222,11111,33333
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

Open 11111 kick will wait for the next kick on 22222. However, this (22222) kick will start to work close and everything will break. It depends on the delay of the client as well. Such things ©.

iptables

If in / etc / sysconfig / iptables this is this:

 *nat :PREROUTING ACCEPT [0:0]
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

it doesn’t bother us, then here it is:

 *filter :INPUT ACCEPT [0:0] ... -A INPUT -j REJECT --reject-with icmp-host-prohibited
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

Taki interferes.

Since knockd adds rules to the end of the INPUT chain, we get reject.

And to turn off this reject is to open the car to all winds.

In order not to go into iptables, where to put something before (as people suggest) we’ll make it easier:

• default in CentOS / Fedora the first rule ("what is not forbidden - allowed") is replaced by the opposite,
• and remove the last rule.

The result should be:

 *filter :INPUT DROP [0:0] ... #-A INPUT -j REJECT --reject-with icmp-host-prohibited
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

You can, of course, make REJECT instead of DROP, but with DROP, bots will have more fun.

3. Customer

In this place the most interesting (from my point of view), since you need to work not only from any beach, but also from any device.

In principle, a number of clients are listed on the project’s website , but this is from the same series “everything is on the Internet”. Therefore, I will list what works here and now at my fingertips.

When choosing a client, you must ensure that it supports the delay option between packets. Yes, the beach, the strife and 100 megabits never guarantee the arrival of packets in the right order at the right time from this place.

And yes - when setting up the client, delay must be selected independently. A lot of timeout - bots will attack, a little - the client will not be in time. There is a lot of delay - the client will not be in time or there will be a conflict of idiots (see "rake"), not enough - the packets will re-enter the Internet.

With timeout = 5s, the fully working option delay = 100..500ms

Windows

No matter how ridiculous it sounds, but google a distinct knock-client for this platform is quite nontrivial. Such that CLI supports delay, TCP - and without bows.

As an option, you can try this here . Apparently my Google is not a cake.

Linux

Everything is simple here:

 dnf install knock -y knock -d <delay> <dst_ip> 11111 22222 33333
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

MacOS

The easiest way is to put the port from homebrew:

brew install knock





and draw for yourself body shirts Commanders of the form:

 #!bin/sh knock -d <delay> <dst_ip> 11111 22222 33333
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

iOS

The working option is KnockOnD (free, from the store).

Android

"Knock on Ports". Not advertising, but just working. And the developers are quite responsive.

PS markdown on Habr, of course, God bless him someday ...

UPD1 : thanks to a good person, a working client for Windows was found.

UPD2 : another good person recalled that putting new rules at the end of iptables is not always useful. But - it depends.