knockd

連線主機

安裝sudo apt install knockd
修改log位置sudo sed -i 's/UseSyslog/LogFile = \/var\/log\/knockd.log/g' /etc/knockd.conf

修改port 序列以及iptables

sudo sed -i 's/7000,8000,9000/63654,59472,31023/g' /etc/knockd.conf

sudo sed -i 's/-A/-I/g' /etc/knockd.conf

設定knockd

sudo sed -i 's/START_KNOCKD = 0/START_KNOCKD = 1/g /etc/default/knockd'
sudo sed -i 's/eth0/你的網卡名稱/g /etc/default/knockd'

允許以建立的連結及當前對話
封鎖22 port的進入

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 22 -j REJECT

啟動sudo service knockd start

確認沒問題後存檔
sudo bash -c "iptables-save > /etc/iptables/rules.v4"
sudo iptables-save > iptables.conf
套用設定
sudo iptables-restore < iptables.conf

或使用以下工具
sudo apt install iptables-persistent
sudo dpkg-reconfigure iptables-persistent

客戶端

knock -v ip port port port
ssh

https://cloud.tencent.com/developer/article/1005328