Debian / Ubuntu: Set Port Knocking With Knockd and Iptables

My iptables based firewall allows only port TCP 80 and 443. I also need tcp port # 22, but I do not have static IP at my home. How do I open and close TCP port #22 on demand under Debian or Ubuntu Linux based server systems? How do I install a port-knock server called knockd and configure it with iptables to open tcp port #22 or any other ports?

Debian or Ubuntu Linux comes with knockd. It is a port-knock server. It listens to all traffic on an ethernet and/or PPP interface created by VPN/dial-up pppd, looking for special “knock” sequences of port-hits. A knock client makes these port-hits by sending a TCP or UDP packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

Knockd installation

Open a terminal or login to the remote server using the ssh client. Type the following apt-get command as root user to install knockd server:
$ sudo apt-get install knockd
Sample outputs:

[sudo] password for vivek: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 27.6 kB of archives.
After this operation, 168 kB of additional disk space will be used.
Get:1 stable/main knockd amd64 0.5-3 [27.6 kB]
Fetched 27.6 kB in 1s (19.5 kB/s)
Selecting previously deselected package knockd.
(Reading database ... 352407 files and directories currently installed.)
Unpacking knockd (from .../knockd_0.5-3_amd64.deb) ...
Processing triggers for man-db ...
Setting up knockd (0.5-3) ...
knockd disabled: not starting. To enable it edit /etc/default/knockd ... (warning).


Edit the file /etc/knockd.conf, enter:
$ sudo vi /etc/knockd.conf
Update the config file as follows. Feel free to set the sequence port number as per your setup 2022, 3022, 4022:

        sequence    = 2022,3022,4022
        seq_timeout = 5
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn
        sequence    = 4022,3022,2022
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

Save and close the file. Edit the file /etc/default/knockd, enter:
$ sudo vi /etc/default/knockd


Replace with:


Optional: set an interface name such as eth0 or ppp0 as per your setup:

KNOCKD_OPTS="-i eth0"

Save and close the file.

How do I start / stop / restart kknockd?

Type the following commands:

sudo service knockd start #<-- start server
sudo service knockd stop #<-- stop server
sudo service knockd restart #<-- restart server
sudo service knockd status #<-- see status server


sudo /etc/init.d/knockd start #<-- start server
sudo /etc/init.d/knockd stop #<-- stop server
sudo /etc/init.d/knockd restart #<-- restart server
sudo /etc/init.d/knockd status #<-- see status server

How do I knock port?

You need to use the knock command. It is a port-knock client. To open tcp port #22 for sshd at ip address, enter:
$ knock -v 2022 3022 3022
Sample outputs:

hitting tcp
hitting tcp
hitting tcp

How do I close down the port?

The syntax is:
$ knock -v 4022 3022 2022

How do I open UDP port?

The syntax is:
$ knock -v -u 9090
You can also combine TCP and UDP port as follows:
$ knock 2022:tcp 9090:udp 4022:tcp

How do I verify that port was opened or closed on the server?

Use the ssh client as follows:
$ ssh user@
# iptables -L INPUT -v -n
# iptables -L INPUT -v -n | grep :22

Please note that port knocking is nothing but security by obscurity. I suggest that:

  1. Secure OpenSSH properly using our “OpenSSH Server Best Security Practices” guide.
  2. Use a better solution such as fwknop which implements an authorization scheme called Single Packet Authorization (SPA).
  • man pages – knockd, knock, and iptables

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


Start your Bitcoin Exchange with our Software

Start your Bitcoin Exchange with our Software Setup your white label bitcoin exchange right away. Or create your own cryptocurrency using...

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....