Port Knocking with MikroTik

December 14, 2017
mikrotik networking firewall routeros


Ever want to have a port forwarded but don’t like the idea of someone who shouldn’t be allowed to connect to it messing with your service?

Ideally, you’d have a trusted address list to fall back on making it so only people on the list are able to access. If that isn’t possible, for example in my case if I pretty well never have the same IP, then I can use port knocking.

The concept is simple: if someone tries to connect to one port and then another port within a certain period of time, make it so that person can access your service.

Please note: Port knocking is not a replacement for encryption and does not at all guarantee that your service will be secure against attackers! In particular, you should assure that whatever service you’re setting up to be accessed via the internet is secured with encryption and you’re using strong passwords. Always assume that you’re under attack.

Start by adding the following to your filter rules:

/ip firewall filter	
add chain=input action=add-src-to-address-list protocol=tcp address-list=pre-knock address-list-timeout=5s dst-port=43412 comment="port knock (pre-knock)"

add chain=input action=add-src-to-address-list protocol=tcp src-address-list=pre-knock address-list=knocked address-list-timeout=1h dst-port=200 comment="port knock (knocked)"

First, I connect to port A which is 43412. My IP address is added to the pre-knock address list with a 5 second timeout. Next, if I connect to port B which is 200 and my IP is in the pre-knock list I’m added to another list called knocked. This will be the privileged list that we’ll target our dst-nat rule against. Notice the timeouts here because they’re important. We want our privileged rule to have a longish timeout and the pre-knock rule to have a short 3-5 second timeout.

It’s important here to use ports that are non-sequential and far apart. There’s a very good chance that Johnny Portscanner could stumble on these by accident, but as long as your ports are non-sequential there’s little chance of him triggering the sequence.

Now we’ll add a dst-nat rule like usual but with the proviso that incoming connections must have their IP in the knocked list.

/ip firewall nat 
add chain=dstnat protocol=tcp dst-port=8080 src-address-list=knocked action=dst-nat to-address=

Now where the magic happens is the actual port knocking. You can use the popular NMAP tool to do this for you or you can go out and find a client with a GUI (you can guess which I prefer).

nmap -Pn --host_timeout 100 --max-retries 0 -p 43412,200 <your_ip>

Once you execute the command above you’ll have access to port 8080 per the dst-nat rule.

After you’ve tested that it works, you can make a bash alias for ease of use:

alias knock-knock="nmap -Pn --host_timeout 100 --max-retries 0 -p 43412,200 <your_ip>"

This technique can be scaled to any number of ports to be knocked by adding a new filter rule which adds you to another intermediary list before adding you to the final privileged list. The technique can be used to give yourself secure backdoor access to WinBox, remote desktop or any arbitrary service you might want to use.

VLANs on MikroTik: The good, the bad and the ugly

July 1, 2018
mikrotik networking routeros vlans