Allow SSH access after port knocking from any source IP I have a working port knocking setup for SSH on Linux using only iptables rules and the “recent” module following this tutorial: < . Now my problem is that seve...--prophetes.ai

Allow SSH access after port knocking from any source IP I have a working port knocking setup for SSH on Linux using only iptables rules and the “recent” module following this tutorial: < . Now my problem is that several networks like my work network block traffic to non-standard ports like 22, 80, 443, so I can‘t send my knock packets. On the other hand, my mobile internet allows them. As a workaround I would like to open the SSH port whenever the correct knocking sequence is sent from _any_ host, not just the same host. is there some way to achieve that with iptables? E.g. I could imagine a “state switch” or global variable that can be switched on by one rule and checked by another rule. It would fall back to “off” after a timeout.

I would suggest to go knockd route. It's simpler this way. Only instead of using this default config

[openSSH]
sequence = 7000,8000,9000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

You would use this one (Note -s %IP% removed)

[openSSH]
sequence = 7000,8000,9000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -D INPUT -p tcp --dport 22 -j ACCEPT