Lately, I have been doing some research on how to best implement port knocking using iptables. During my research, I came across a pretty interesting critique against the effectiveness of port knocking. It is certainly not stealth but, in my opinion, it is a nice tool to have in your firewall arsenal.

All of the port knocking iptables recipes I came across used different chains for each knocking phase. As far as I could tell, this is the only way to accomplish port knocking if you want to use more than one knock before opening up the destination port. However, if you find one knock sufficient, I wrote up an alternative recipe that does not create new chains and just relies on the ipt_recent module. It is certainly a trade-off between security and simplicity but still effective.

Got to thinking that port-scanning detection–and subsequent blocking–would be a nice firewall feature to implement.

I decided to use some of the low common service ports that go unused on my server as honeypots. Connections to these ports would trigger a temporary block of incoming traffic from the remote IP address.

I documented the iptables recipe in my wiki.

In my opinion this is a very effective solution to blocking port scanning. I am surprised I have not seen it recommended by anyone else.