MikroTik RouterOS Port Knocking
Written by vaheeD on January 19, 2013
Port knocking is a method of establishing a connection to a networked device that has no open ports.
Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports.
A remote host generates and sends an authentic knock sequence in order to manipulate device firewall rules to open one or more specific ports.
Once the desired ports are opened, the remote host can establish a connection and begin a session (in this example, SSH will be available after issuing the correct Knocking Sequence to a RouterOS Based Router).
Optionally, another knock sequence may used to trigger the closing of the previously enabled port.
/ip firewall filter add action=log chain=input log-prefix="KNOCK STAGE 01" disabled=no\ protocol=tcp dst-port=1010 add action=add-src-to-address-list address-list="KNOCK STAGE 01"\ address-list-timeout=15s chain=input disabled=no\ dst-port=1010 protocol=tcp add action=log chain=input log-prefix="KNOCK STAGE 02" disabled=no\ protocol=tcp dst-port=2020 src-address-list="KNOCK STAGE 01" add action=add-src-to-address-list address-list="KNOCK STAGE 02"\ address-list-timeout=15s chain=input disabled=no\ dst-port=2020 protocol=tcp add action=log chain=input log-prefix="KNOCK STAGE 03" disabled=no\ protocol=tcp dst-port=3030 src-address-list="KNOCK STAGE 02" add action=add-src-to-address-list address-list="KNOCK STAGE 03"\ address-list-timeout=15s chain=input disabled=no\ dst-port=3030 protocol=tcp add action=accept chain=input disabled=no\ dst-port=22 protocol=tcp src-address-list="KNOCK STAGE 03"
In this example Address-Lists are created with a validity of 15s, so the knocking sequence needs to be issued quite fast.
Better security will be granted using a sequence with decreasing port number and different protocols (to avoid basic Port Scans).
Example: 30001/TCP -> 2001/UDP -> 101/TCP => Open 22/TCP.