*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
Input (from WAN to LAN)
-A INPUT -j PERMIT-IN
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
Forward (NAT)
-A FORWARD -j PERMIT-FWD
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
Output (LAN to WAN)
-A OUTPUT -j PERMIT-OUT
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
(NAT = Masquerade)
-A POSTROUTING -o bo0 -j MASQUERADE
With the AC86U, Set the nvram variable sshd_enable to 1, commit the changes and reboot.
That's not what that command is intended for. It's meant to reinitialise the wireless modules after they've been loaded/unloaded. On my router it does nothing so check that it's doing what you think it is.For future reference, I found that issuing "nvram restart" to restart the WAN without rebooting the router worked.
Check what happened in the syslog.It did seem to work ...
There's no documentation that I'm aware of. This seems to work for me:...is there a documented way to apply nvram changes without doing a full reboot?
service restart_sshd
service restart_firewall
That's not what that command is intended for. It's meant to reinitialise the wireless modules after they've been loaded/unloaded. On my router it does nothing so check that it's doing what you think it is.
There's no documentation that I'm aware of. This seems to work for me:
out of curiosity, why do you want to expose SSH to the WAN? If you WAN is a public facing IP, may I suggest you further secure it by moving the port to something other than 22, adding an RSA-Key and disallowing password login. None of my business, but hate to see you hacked.
How is knockd better than a VPN? I don't see that benefit. The exposed services are still running 24/7, after all.
This example uses two knocks.The first will allow the knocker to access port22 (SSH), and the second will close the port when the knocker is complete. As you can see, this could be useful if you run a very restrictive (DENY policy) firewall and would like to access it discreetly.[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -A INPUT -s %IP% -j ACCEPT
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -D INPUT -s %IP% -j ACCEPT
It's not better than a VPN, it's worse. But I can't use a VPN client on my iPhone for unrelated reasons, so it's more convenient for me.How is knockd better than a VPN? I don't see that benefit.
It's restricted to a specific IP address by iptables (the address of the requesting client). It's not open to the WAN in any real sense.I still don't see that as secure as I would like it to be. WAN access will be available as long as the port is open (and/or hacked).
Packets are still dropped by the incoming firewall. There's no way for an attacker to tell their packets are being scanned by knockd.Also, in my "FW" I drop packets instead of giving a response / error to reduce exposure
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!