ipt_portkng is a iptables (firewall) module developed in 2008 for a class of my Computer Sciences and Engineering bachelor. The software is a C-language iptables module implementation of the port knocking firewalling. That is, this module extends the iptales firewall functionality to support the port knocking mechanism.
Port knocking works by letting certain ports being closed until they are needed, minimizing the risks of abuse. When a service behind a certain port is needed, the user in a remote computer sends a sequence of TCP SYN packets targeting several ports of the computer behind the firewall. If the port sequence matches the previously established sequence, then the previously defined port is opened for the user, allowing him to communicate with the service.


The development of this software was discontinued since I didn't have the time to maintain it. However, you are free to continue development of this iptables module. If you decide to do so please drop me an email, maybe I find the time and interest to help you with it.

Source code

Download source-code: ipt_portkng-svn-r37-20080113.tar.bz2


iptables -A INPUT -p tcp -m portkng --knock 45,67,21 --dport 22 -j ACCEPT

will open port 22 only if ports 45,67 and 21 are conected in order. Only IPs with correct port sequences are allowed to connect.