Then I added a tripwire feature to make it less likely that a random port traversal would be successful. Here's a snippet of my nftables.conf:
define KNOCK_PORT1 = 20000 define KNOCK_PORT2 = 30000 define KNOCK_PORT3 = 10000 define TRIPWIRE_PORT1 = 15000 define TRIPWIRE_PORT2 = 25000 table inet filter { . . set allowed_ssh { type ipv4_addr flags timeout elements = { $HOME_IP, $OTHER_SERVER_IP } } # track port knocking set knock1 { type ipv4_addr timeout 5s } set knock2 { type ipv4_addr timeout 5s } set banned { type ipv4_addr timeout 1m } # handle port knocking chain raw { type filter hook prerouting priority raw; policy accept; ip saddr @banned tcp dport { $KNOCK_PORT1, $KNOCK_PORT2, $KNOCK_PORT3} log prefix "nft banned: " drop tcp dport $KNOCK_PORT1 set add ip saddr @knock1 log prefix "nft knock1: " drop ip saddr @knock1 tcp dport $TRIPWIRE_PORT1 set add ip saddr @banned log prefix "nft tripwire1: " drop ip saddr @knock1 tcp dport $KNOCK_PORT2 set add ip saddr @knock2 log prefix "nft knock2: " drop ip saddr @knock2 tcp dport $TRIPWIRE_PORT2 set add ip saddr @banned log prefix "nft tripwire2: " drop ip saddr @knock2 tcp dport $KNOCK_PORT3 set add ip saddr @allowed_ssh log prefix "nft knock3: " drop } }
