Installing knockd for ClearOS

Installing knockd for ClearOS is anything but, trivial if you are not familiar with the platform. I use Ubuntu and was having a hard time with getting knockd to work on ClearOS. These are my adventures (actually fairly simple as it turns out)…

To install knockd on ClearOS, we first need to install gcc, rpm-build, and libpcap-devel:

#yum install gcc rpm-build libpcap-devel

We then need to fetch the source RPM package for knockd:

#wget http://www.invoca.ch/pub/packages/knock/RPMS/ils-5/SRPMS/knock-0.5-7.el5.src.rpm

Now build the source RPM package:

#rpmbuild --rebuild knock-0.5-7.el5.src.rpm

Finally, install the newly created RPM package which should be located at ‘/usr/src/redhat/RPMS/i386/‘:

#cd /usr/src/redhat/RPMS/i386/
#rpm -ivh knock-server-0.5-7.i386.rpm

We should now have knockd:

#knockd --help
usage: knockd [options]
options:
-i, --interface <int>  network interface to listen on (default "eth0")
-d, --daemon           run as a daemon
-c, --config <file>    use an alternate config file
-D, --debug            output debug messages
-l, --lookup           lookup DNS names (may be a security risk)
-v, --verbose          be verbose
-V, --version          display version
-h, --help             this help

We now need to setup our ‘knockd.conf‘ file:

#vi /etc/knockd.conf

Mine looks like this after playing around with iptables and customizing it to my need:

[options]
logfile = /var/log/knockd.log
interface = eth0

[opencloseVNC]

sequence      = 8181:tcp,5901:tcp,8181:tcp,5901:tcp
seq_timeout   = 15
start_command = /sbin/iptables -A FORWARD -o eth1 -p tcp --dport 5901 -j ACCEPT -d 192.168.2.24 -s %IP% && iptables -t nat -A PREROUTING -p tcp --dport 5901 -j DNAT --to-destination 192.168.2.24:5901 && iptables -t nat -A POSTROUTING -p tcp --dport 5901 -j SNAT --to-source 192.168.2.1 -d 192.168.2.24 -s 192.168.2.0/24
cmd_timeout   = 10
stop_command  = /sbin/iptables -D FORWARD -o eth1 -p tcp --dport 5901 -j ACCEPT -d 192.168.2.24 -s %IP% && iptables -t nat -D PREROUTING -p tcp --dport 5901 -j DNAT --to-destination 192.168.2.24:5901 && iptables -t nat -D POSTROUTING -p tcp --dport 5901 -j SNAT --to-source 192.168.2.1 -d 192.168.2.24 -s 192.168.2.0/24

You’ll of course need to customize it to your needs. That however, is outside the scope of this article. You can refer to here for help: http://www.zeroflux.org/projects/knock

At this point, you should run ‘knockd‘ and test that your configuration works as intended.

If you would like to add knockd to the list on the services page within ClearOS, you will need to add an entry to the ‘Daemon.inc.php‘ file:

#vi /var/webconfig/api/Daemon.inc.php

Add the following line into the array at the bottom:

"knockd"        => array("knock-server-0.5-7",    "knockd",        "yes",  "knockd",                 "no",  null),

That’s it! You’re done! Congratulations! You have successfully installed knockd for ClearOS!

Comments are closed.