I compiled the truecrypt src rpm and the knockd src rpm.
I created a new user account named rpmbuilder and followed the instructions available here.
After installing the built knockd rpm I opened
/etc/knockd.conf which contains:
[options]
UseSyslog
[opencloseSSH]
sequence = 2222:udp,3333:tcp,4444:udp
seq_timeout = 15
tcpflags = syn,ack
start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
cmd_timeout = 10
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
The above configuration will not work with the default fedora firewall enabled because it appends the rule after fedora's rule to drop all packets. If an -I is passed instead of -A then the firewall rule goes straight to the top which is just where we want our ssh rule. The Interface option needs to be set as well unless you're using eth0. Try
/sbin/ifconfig to see which interfaces are configured. So my modified /etc/knockd.conf looks like:
[options]
UseSyslog
Interface = eth1
[openSSH]
sequence = 12345,54321,31337
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[closeSSH]
sequence = 31337,54321,12345
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
Save the /etc/knockd.conf file and restart knockd with "
/etc/init.d/knockd restartFinally you want to remove ssh from the standard fedora firewall using "
sudo system-config-firewallNow you just need an appropriate client to test it out with. You can get clients for many different platforms here.
