我们已经向您展示了如何通过路由器上的“端口敲门”远程触发WOL。在本文中，我们将展示如何使用它来保护VPN服务。

Aviad Raviv&amp；bfick提供的图片。

前言

如果您使用过DD-WRT的VPN内置功能，或者在您的网络中有另一个VPN服务器，那么您可能会欣赏通过将其隐藏在敲打序列后面来保护其免受暴力攻击的能力。通过这样做，您将过滤掉试图访问您的网络的脚本小子。如上所述，正如前一篇文章中所述，端口敲门并不能取代良好的密码和/或安全策略。请记住，只要有足够的耐心，攻击者就可以发现序列并执行重播攻击。还有请记住，实现这一点的缺点是，当任何VPN客户端想要连接时，它们必须事先触发敲打序列，如果它们由于任何原因无法完成该序列，他们根本无法使用VPN。

概述

为了保护VPN服务，我们将首先通过阻塞1723的实例化端口来禁用所有可能的通信。为了实现这个目标，我们将使用iptables。这是因为，在大多数现代Linux/GNU发行版上，尤其是在DD-WRT上，通信就是这样被过滤的。如果您想了解iptables的更多信息，请查看它的wiki条目，并查看我们之前关于这个主题的文章。一旦服务受到保护，我们将创建一个敲打序列，该序列将临时打开VPN实例化端口，并在配置的时间后自动关闭它，同时保持已建立的VPN会话连接。

注意：在本指南中，我们以pptpvpn服务为例。也就是说，同样的方法也可以用于其他VPN类型，您只需更改被阻止的端口和/或通信类型。

前提条件、假设和建议

• 假设/要求您有一个支持Opkg的DD-WRT路由器。
• 假设/要求您已经执行了“如何进入您的网络（DD-WRT）”指南中的步骤。
• 假设有一些网络知识。

我们开始吧。

DD-WRT上的默认“阻止新VPN”规则

虽然下面的“代码”片段可能适用于每一个使用Linux/GNU发行版的、自尊的iptables，但因为有太多的变体，我们将只展示如何在DD-WRT上使用它。如果您愿意，没有什么可以阻止您直接在VPN盒上实现它。然而，如何做到这一点，超出了本指南的范围。

因为我们想增强路由器的防火墙，所以添加到“防火墙”脚本是合乎逻辑的。这样做，将导致每次刷新防火墙时都执行iptables命令，从而使我们的增强功能保持不变。

从DD-WRT的Web GUI：

• 转到“管理”->“命令”。
• Enter the below “code” into the text-box:

  inline="$( iptables -L INPUT -n | grep -n "state RELATED,ESTABLISHED"  | awk -F : {'print $1'} )"; inline=$(($inline-2+1)); iptables -I INPUT "$inline" -p tcp --dport 1723 -j DROP

• 单击“保存防火墙”。
• 完成。

What is this “Voodoo” command?

The above “voodoo magic” command does the following:

• Finds where is the iptable line that enables already established communication to pass through. We do this, because A. On DD-WRT routers, if the VPN service is enabled, it will be located just below this line and B. It is essential to our goal of continuing to allow already established VPN sessi*** to live on after the knocking event.
• Deducts two (2) from the output of the listing command to account for the offset caused by the informational column headers. Once that’s done, adds one (1) to the above number, so that the rule that we are inserting will come just after the rule that allows already established communication. I’ve left this very simple “math problem” in here, just to make the logic of “why one needs to reduce one from the rule’s place instead of adding one to it” clear.

KnockD configuration

We need to create a new triggering sequence that will enable new VPN connecti*** to be created. To do this, edit the knockd.conf file by issuing in a terminal:

vi /opt/etc/knockd.conf

Append to the existing configuration:

[enable-VPN] sequence = 02,02,02,01,01,01,2010,2010,2010 seq_timeout = 60 start_command = iptables -I INPUT 1 -s %IP% -p tcp --dport 1723 -j ACCEPT cmd_timeout = 20 stop_command = iptables -D INPUT -s %IP% -p tcp --dport 1723 -j ACCEPT

This configuration will:

• Set the window of opportunity to complete the sequence, to 60 seconds. (It’s recommended to keep this as short as possible)
• Listen to a sequence of three knocks on ports 2, 1 and 2010 (this order is deliberate to throw ports scanners off track).
• Once the sequence has been detected, execute the “start_command”. This “iptables” command will place an “accept traffic destined to port 1723 from where the knocks came from” on the top of the firewall rules. (The %IP% directive is treated specially by KnockD and is replaced with the IP of the knocks origin).
• Wait for 20 seconds before issuing the “stop_command”.
• Execute the “stop_command”. Where this “iptables” command does the reverse of the above and deletes the rule that allows communication.

That’s it, your VPN service should now be connectable only after a successful “knock”.

Author‘s tips

While you should be all set, there are a couple of points that i feel need mentioning.

• Troubleshooting. Remember that if you’re having problems, the “troubleshooting” segment at the end of the first article should be your first stop.
• If you want, you can have the “start/stop” directives execute multiple commands by seperating them with a semi-colen (;) or even a script. Doing so will enable you to do some nifty stuff. For example, I have knockd send me an *Email telling me that a sequence has been triggered and from where.
• Don’t forget that “There’s an app for that” and  even though its not mentioned in this article, you are encouraged to grab StavFX‘s Android knocker program.
• While on the subject of Android, don’t forget that there is a PPTP VPN client usually built into the OS from the manufacturer.
• The method of, blocking something initially and then continuing to allow already established communication, can be used on practically any TCP based communication. In fact in the Knockd on DD-WRT 1 ~ 6 movies, I’ve done way back when, I’ve used the remote desktop protocol (RDP) which uses port 3389 as an example.

Note: In order to do this, you will need to get Email functionality on your router, which currently there really isn’t one that works because the SVN snapshot of OpenWRT’s opkg packages is in disarray. That is why I suggest using knockd directly on the VPN box which enables you to use all the opti*** of sending email that are available in Linux/GNU, like SSMTP and sendEmail to mention a few.

谁扰乱了我的睡眠？